allow '*' scope for full account access

lib/apis.js

@@ -136,6 +136,8 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
         req.oauth3.accountIdx = accountIdx;
         req.oauth3.ppid = ppid;
         req.oauth3.accountHash = crypto.createHash('sha1').update(accountIdx).digest('hex');
+        //console.log('[com.daplie.walnut] accountIdx:', accountIdx);
+        //console.log('[com.daplie.walnut] ppid:', ppid);
 
         next();
       });
@@ -269,6 +271,8 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
           }
 
           return function (req, res, next) {
+            var tokenScopes;
+
             if (!(req.oauth3 || req.oauth3.token)) {
               // TODO some error generator for standard messages
               res.send({ error: { message: "You must be logged in", code: "E_NO_AUTHN" } });
@@ -279,11 +283,18 @@ module.exports.create = function (xconfx, apiFactories, apiDeps) {
               return;
             }
 
+            tokenScopes = req.oauth3.token.scp.split(/[,\s]+/mg);
+            if (-1 !== tokenScopes.indexOf('*')) {
+              // has full account access
+              next();
+              return;
+            }
+
             // every grant in the array must be present
             if (!grants.every(function (grant) {
               var scopes = grant.split(/\|/g);
               return scopes.some(function (scp) {
-                return req.oauth3.token.scp.split(/[,\s]+/mg).some(function (s) {
+                return tokenScopes.some(function (s) {
                   return scp === s;
                 });
               });