1 files changed, 29 insertions, 7 deletions

diff --git a/qvisqve/token_router.py b/qvisqve/token_router.py
index 911e899..c510b8b 100644
--- a/qvisqve/token_router.py
+++ b/qvisqve/token_router.py
@@ -26,10 +26,10 @@ import qvisqve_secrets
 
 class TokenRouter(qvisqve.Router):
 
-    def __init__(self, token_generator, clients):
+    def __init__(self, token_generator, clients, authz_attempts):
         qvisqve.log.log('debug', msg_text='TokenRouter init starts')
         super().__init__()
-        args = (clients, token_generator)
+        args = (clients, token_generator, authz_attempts)
         self._grants = {
             'client_credentials': ClientCredentialsGrant(*args),
             'authorization_code': AuthorizationCodeGrant(*args),
@@ -75,9 +75,10 @@ class TokenRouter(qvisqve.Router):
 
 class Grant:
 
-    def __init__(self, clients, generator):
+    def __init__(self, clients, generator, authz_attempts):
         self._clients = clients
         self._generator = generator
+        self._attempts = authz_attempts
 
 
 class ClientCredentialsGrant(Grant):
@@ -123,11 +124,32 @@ class ClientCredentialsGrant(Grant):
 class AuthorizationCodeGrant(Grant):
 
     def get_token(self, request, params):
+        client_id, client_secret = request.auth
+        if not self._clients.is_valid_secret(client_id, client_secret):
+            qvisqve.log.log('error', msg_text='Invalid client creds given')
+            return qvisqve.unauthorized_response('Access denied')
+
         code = self._get_code(params)
-        # FIXME
-        if code is None or code != '123':
-            return qvisqve.unauthorized_response('Unauthorized')
-        empty_token = self._generator.new_token('', '')
+        if code is None:
+            qvisqve.log.log('error', msg_text='No code given')
+            return qvisqve.unauthorized_response('Access denied')
+
+        aa = self._attempts.find_by_code(code)
+        if aa is None:
+            qvisqve.log.log('error', msg_text='Unknown code given', code=code)
+            return qvisqve.unauthorized_response('Access denied')
+
+        subject_id = aa.get_subject_id()
+        scope = aa.get_scope()
+        allowed = self._clients.get_allowed_scopes(client_id)
+        scope = ' '.join(
+            s
+            for s in scope.split()
+            if s in allowed
+        )
+
+        empty_token = self._generator.new_token(
+            '', scope, subject_id=subject_id)
         return qvisqve.ok_response({
             'access_token': empty_token,
             'token_type': 'Bearer',