Validate scopes per client

Author: jeanp413

components/server/src/oauth-server/db.ts

@@ -67,6 +67,9 @@ function createVSCodeClient(protocol: "vscode" | "vscode-insiders"): OAuthClient
             { name: "function:getGitpodTokenScopes" },
             { name: "function:getLoggedInUser" },
             { name: "function:accessCodeSyncStorage" },
+            { name: "function:getOwnerToken" },
+            { name: "function:getWorkspace" },
+            { name: "function:getWorkspaces" },
             { name: "resource:default" },
         ],
     };

components/server/src/oauth-server/repository.ts

@@ -48,6 +48,11 @@ export const inMemoryScopeRepository: OAuthScopeRepository = {
         client: OAuthClient,
         user_id?: string,
     ): Promise<OAuthScope[]> {
-        return scopes;
+        const clientScopes = client.scopes.map((s) => s.name);
+        if (scopes.every((s) => clientScopes.includes(s.name))) {
+            return scopes;
+        }
+
+        throw new Error("Requested scopes not allowed");
     },
 };