Strava: Invalid scope

[ansidev]

Code:

package main

import (
	"fmt"
	"log"
	"net/url"

	"github.com/gofiber/fiber/v2"
	"github.com/markbates/goth"
	"github.com/markbates/goth/providers/strava"
	gf "github.com/podanypepa/gothfiberv2"
)

const (
	stravaClientId       = "client_id"
	stravaClientSecret   = "client_secret"
)

func main() {
	goth.UseProviders(
                 // Expected but it doesn't work
		strava.New(stravaClientId, stravaClientSecret, "http://localhost:4000/auth/strava/callback", "activity:read", "activity:read_all"),
                 // Workaround
		// strava.New(stravaClientId, stravaClientSecret, "http://localhost:4000/auth/strava/callback", "activity:read,activity:read_all"),
	)

	app := fiber.New()

	app.Get("/auth/:provider/callback", func(ctx *fiber.Ctx) error {
		user, err := gf.CompleteUserAuth(ctx)
		if err != nil {
			return err
		}

		queryStr := string(ctx.Request().URI().QueryString())
		params, err := url.ParseQuery(queryStr)
		if err != nil {
			log.Fatal(err)
			return err
		}

		fmt.Println("Query Params: ")
		for key, value := range params {
			fmt.Printf("  %v = %v\n", key, value)
		}

		ctx.JSON(user)
		return nil
	})

	app.Get("/logout/:provider", func(ctx *fiber.Ctx) error {
		gf.Logout(ctx)
		ctx.Redirect("/")
		return nil
	})

	app.Get("/auth/:provider", func(ctx *fiber.Ctx) error {
		if gothUser, err := gf.CompleteUserAuth(ctx); err == nil {
			ctx.JSON(gothUser)
		} else {
			gf.BeginAuthHandler(ctx)
		}
		return nil
	})

	app.Get("/", func(ctx *fiber.Ctx) error {
		ctx.Format("<p><a href='/auth/strava'>strava</a></p>")
		return nil
	})

	log.Fatal(app.Listen(":4000"))
}

Reproduce:

1. Uncomment line

strava.New(stravaClientId, stravaClientSecret, "http://localhost:4000/auth/strava/callback", "activity:read", "activity:read_all"),

2. Run go run main.go and open http://localhost:4000
3. Click on the link that has the text "strava".
4. The redirect URL is: https://www.strava.com/oauth/authorize?client_id=...&redirect_uri=http%3A%2F%2Flocalhost%3A4000%2Fauth%2Fstrava%2Fcallback&response_type=code&scope=activity%3Aread+activity%3Aread_all&state=nY0GtwcCjYq1WWZ4MPlfbHM2_at-oB9Q_InKCo1WdBbav2pVs96cF9vLxf8wg28yC5SKrkGcnLIzSG4bKkzZdg%3D%3D

• Scope query value: scope=activity%3Aread+activity%3Aread_all
• Response error:

{
  "message": "Bad Request",
  "errors": [
    {
      "resource": "Authorize",
      "field": "scope",
      "code": "invalid"
    }
  ]
}

5. If you use the workaround config, it works.
   the scope query value is scope=activity%3Aread%2Cactivity%3Aread_all (the difference is character + vs %2C (decoded string of ,))

goth/providers/strava/strava.go

Lines 159 to 161 in 9dc8905

	for _, scope := range scopes {
	c.Scopes = append(c.Scopes, scope)
	}

should be

c.Scopes = strings.Join(c.Scopes, ",")

[techknowlogick]

@ansidev could you send a PR to update this?