aspera-cli 4.24.2 → 4.25.0

data/lib/aspera/environment.rb

@@ -5,7 +5,9 @@ require 'aspera/log'
 require 'aspera/assert'
 require 'rbconfig'
 require 'singleton'
+require 'open3'
 require 'English'
+require 'shellwords'
 
 # cspell:words MEBI mswin bccwin
 
@@ -40,100 +42,85 @@ module Aspera
 
     RB_EXT = '.rb'
 
+    PROCESS_MODES = %i[execute background capture].freeze
+
     class << self
       def ruby_version
         return RbConfig::CONFIG['RUBY_PROGRAM_VERSION']
       end
 
-      # empty variable binding for secure eval
+      # Empty variable binding for secure eval
       def empty_binding
         return Kernel.binding
       end
 
-      # secure execution of Ruby code
+      # Secure execution of Ruby code
+      # @param code [String] Ruby code to execute
+      # @param file [String] File name for error reporting
+      # @param line [Integer] Line number for error reporting
       def secure_eval(code, file, line)
         Kernel.send('lave'.reverse, code, empty_binding, file, line)
       end
 
-      # Generate log line for external program with arguments
-      # @param env [Hash, nil]   environment variables
-      # @param exec [String]     path to executable
-      # @param args [Array, nil] arguments
-      # @return [String] log line with environment, program and arguments
-      def log_spawn(exec:, args: nil, env: nil)
-        [
-          'execute:'.red,
-          env&.map{ |k, v| "#{k}=#{Shellwords.shellescape(v)}"},
-          Shellwords.shellescape(exec),
-          args&.map{ |a| Shellwords.shellescape(a)}
-        ].compact.flatten.join(' ')
-      end
-
-      # Start process in background
-      # caller can call Process.wait on returned value
-      # @param exec    [String]     path to executable
-      # @param args    [Array, nil] arguments for executable
-      # @param env     [Hash, nil]  environment variables
-      # @param options [Hash, nil]  spawn options
-      # @return [String]            PID of process
-      # @raise  [Exception]         if problem
-      def secure_spawn(exec:, args: nil, env: nil, **options)
-        Aspera.assert_type(exec, String)
-        Aspera.assert_type(args, Array, NilClass)
-        Aspera.assert_type(env, Hash, NilClass)
-        Aspera.assert_type(options, Hash, NilClass)
-        Log.log.debug{log_spawn(exec: exec, args: args, env: env)}
-        # start ascp in separate process
-        spawn_args = []
-        spawn_args.push(env) unless env.nil?
-        spawn_args.push([exec, exec])
-        spawn_args.concat(args) unless args.nil?
-        opts = {close_others: true}
-        opts.merge!(options) unless options.nil?
-        ascp_pid = Process.spawn(*spawn_args, **opts)
-        Log.log.debug{"pid: #{ascp_pid}"}
-        return ascp_pid
+      # Build argv for Process.spawn / Kernel.system (no shell)
+      # @param cmd    [Array]  Command and arguments
+      # @param kwargs [Hash]   Additional arguments to `secure_execute`
+      def build_spawn_argv(cmd, kwargs)
+        env = kwargs.delete(:env)
+        argv = []
+        argv << env if env
+        argv << [cmd.first, cmd.first] # no shell, preserve argv[0]
+        argv.concat(cmd.drop(1))
+        argv
       end
 
-      # start process and wait for completion
-      # @param env [Hash, nil]   environment variables
-      # @param exec [String]     path to executable
-      # @param args [Array, nil] arguments
-      # @return [String] PID of process
-      def secure_execute(exec:, args: nil, env: nil, **system_args)
-        Aspera.assert_type(exec, String)
-        Aspera.assert_type(args, Array, NilClass)
-        Aspera.assert_type(env, Hash, NilClass)
-        Log.log.debug{log_spawn(exec: exec, args: args, env: env)}
-        # start in separate process
-        spawn_args = []
-        spawn_args.push(env) unless env.nil?
-        # ensure no shell expansion
-        spawn_args.push([exec, exec])
-        spawn_args.concat(args) unless args.nil?
-        kwargs = {exception: true}
-        kwargs.merge!(system_args)
-        Kernel.system(*spawn_args, **kwargs)
-        nil
-      end
-
-      # Execute process and capture stdout
-      # @param exec [String] path to executable
-      # @param args [Array] arguments to executable
-      # @param opts [Hash] options to capture3
-      # @return stdout of executable or raise exception
-      def secure_capture(exec:, args: [], exception: true, **opts)
-        Aspera.assert_type(exec, String)
-        Aspera.assert_type(args, Array)
-        Aspera.assert_type(opts, Hash)
-        Log.log.debug{log_spawn(exec: exec, args: args)}
-        Log.dump(:opts, opts, level: :trace2)
-        Log.dump(:ENV, ENV.to_h, level: :trace1)
-        stdout, stderr, status = Open3.capture3(exec, *args, **opts)
-        Log.log.debug{"status=#{status}, stderr=#{stderr}"}
-        Log.log.trace1{"stdout=#{stdout}"}
-        raise "process failed: #{status.exitstatus} (#{stderr})" if !status.success? && exception
-        return stdout
+      # Execute a process securely (no shell)
+      # mode:
+      #   :execute    -> Kernel.system, return nil
+      #   :background -> Process.spawn, return pid
+      #   :capture    -> Open3.capture3, return stdout
+      # @param cmd       [Array]     Command and arguments
+      # @param env       [Hash, nil] Environment variables
+      # @param mode      [Symbol]    Execution mode (see above)
+      # @param kwargs    [Hash]      Additional arguments to underlying method, includes:
+      #                              :exception [Boolean] for :capture mode, raise error if process fails
+      #                              :close_others [Boolean] for :background mode
+      #                              :env [Hash] for :execute mode
+      def secure_execute(*cmd, mode: :execute, **kwargs)
+        cmd = cmd.map(&:to_s)
+        Aspera.assert(cmd.size.positive?, type: ArgumentError){'executable must be present'}
+        Aspera.assert_values(mode, PROCESS_MODES, type: ArgumentError){'mode'}
+        Log.log.debug do
+          parts = [mode.to_s, 'command:']
+          kwargs[:env]&.each{ |k, v| parts << "#{k}=#{Shellwords.shellescape(v.to_s)}"}
+          cmd.each{ |a| parts << Shellwords.shellescape(a)}
+          parts.join(' ')
+        end
+        case mode
+        when :execute
+          # https://docs.ruby-lang.org/en/master/Kernel.html#method-i-system
+          # https://docs.ruby-lang.org/en/master/Process.html#module-Process-label-Execution+Options
+          kwargs[:exception] = true unless kwargs.key?(:exception)
+          Kernel.system(*build_spawn_argv(cmd, kwargs), **kwargs)
+        when :background
+          # https://docs.ruby-lang.org/en/master/Process.html#method-c-spawn
+          # https://docs.ruby-lang.org/en/master/Process.html#module-Process-label-Execution+Options
+          kwargs[:close_others] = true unless kwargs.key?(:close_others)
+          pid = Process.spawn(*build_spawn_argv(cmd, kwargs), **kwargs)
+          Log.dump(:pid, pid)
+          pid
+        when :capture
+          # https://docs.ruby-lang.org/en/master/Open3.html#method-c-capture3
+          # https://docs.ruby-lang.org/en/master/Process.html#module-Process-label-Execution+Options
+          argv = [kwargs.delete(:env)].compact + cmd
+          exception = kwargs.delete(:exception){true}
+          stdout, stderr, status = Open3.capture3(*argv, **kwargs)
+          Log.log.debug{"status=#{status}, stderr=#{stderr}"}
+          Log.log.trace1{"stdout=#{stdout}"}
+          raise "Process failed: #{status.exitstatus} (#{stderr})" if exception && !status.success?
+          stdout
+        else Aspera.error_unreachable_line
+        end
       end
 
       # Write content to a file, with restricted access
@@ -266,9 +253,9 @@ module Aspera
     # @param uri [String] the URI to open
     def open_uri_graphical(uri)
       case @os
-      when Environment::OS_MACOS then return self.class.secure_execute(exec: 'open', args: [uri.to_s])
-      when Environment::OS_WINDOWS then return self.class.secure_execute(exec: 'start', args: ['explorer', %Q{"#{uri}"}])
-      when Environment::OS_LINUX   then return self.class.secure_execute(exec: 'xdg-open', args: [uri.to_s])
+      when Environment::OS_MACOS then return self.class.secure_execute('open', uri.to_s)
+      when Environment::OS_WINDOWS then return self.class.secure_execute('start', 'explorer', %Q{"#{uri}"})
+      when Environment::OS_LINUX   then return self.class.secure_execute('xdg-open', uri.to_s)
       else Assert.error_unexpected_value(os){'no graphical open method'}
       end
     end
@@ -276,9 +263,9 @@ module Aspera
     # open a file in an editor
     def open_editor(file_path)
       if ENV.key?('EDITOR')
-        self.class.secure_execute(exec: ENV['EDITOR'], args: [file_path.to_s])
+        self.class.secure_execute(ENV['EDITOR'], file_path.to_s)
       elsif @os.eql?(Environment::OS_WINDOWS)
-        self.class.secure_execute(exec: 'notepad.exe', args: [%Q{"#{file_path}"}])
+        self.class.secure_execute('notepad.exe', %Q{"#{file_path}"})
       else
         open_uri_graphical(file_path.to_s)
       end

data/lib/aspera/faspex_gw.rb

@@ -55,7 +55,7 @@ module Aspera
         content_type: Rest::MIME_JSON,
         body:         {paths: [{'destination'=>'/'}]},
         headers:      {'Accept' => Rest::MIME_JSON}
-      )[:data]
+      )
       transfer_spec.delete('authentication')
       # but we place it in a Faspex package creation response
       return {

data/lib/aspera/faspex_postproc.rb

@@ -50,7 +50,7 @@ module Aspera
         Log.dump(:webhook_parameters, webhook_parameters)
         # env expects only strings
         environment = webhook_parameters.each_with_object({}){ |(k, v), h| h[k] = v.to_s}
-        post_proc_pid = Environment.secure_spawn(env: environment, exec: script_path)
+        post_proc_pid = Environment.secure_execute(script_path, mode: :background, env: environment)
         Timeout.timeout(@parameters[:timeout_seconds]) do
           # "wait" for process to avoid zombie
           Process.wait(post_proc_pid)

data/lib/aspera/id_generator.rb

@@ -9,19 +9,16 @@ module Aspera
     class << self
       # Generate an ID from a list of object IDs
       # The generated ID is safe as file name
-      # @param object_id [Array<String>, String] the object IDs
+      # @param ids [Array] the object IDs (can be nested, will be flattened, and nils removed)
       # @return [String] the generated ID
-      def from_list(object_id)
+      def from_list(*ids)
         safe_char = Environment.instance.safe_filename_character
-        if object_id.is_a?(Array)
-          # compact: remove nils
-          object_id = object_id.flatten.compact.map do |i|
-            i.is_a?(String) && i.start_with?('https://') ? URI.parse(i).host : i.to_s
-          end.join(safe_char)
-        end
-        Aspera.assert_type(object_id, String)
+        # compact: remove nils
+        id = ids.flatten.compact.map do |i|
+          i.is_a?(String) && i.start_with?('https://') ? URI.parse(i).host : i.to_s
+        end.join(safe_char)
         # keep dot for extension only (nicer)
-        return Environment.instance.sanitized_filename(object_id.gsub('.', safe_char)).downcase
+        return Environment.instance.sanitized_filename(id.gsub('.', safe_char)).downcase
       end
     end
   end

data/lib/aspera/keychain/factory.rb

@@ -12,8 +12,7 @@ module Aspera
         # @param folder   [String] folder to store the vault (if needed)
         # @param password [String] password to open the vault
         def create(info, name, folder, password)
-          Aspera.assert_type(info, Hash)
-          Aspera.assert(info.values.all?(String)){'vault info shall have only string values'}
+          Aspera.assert_hash_all(info, Symbol, String){'vault info shall have only string values'}
           info = info.symbolize_keys
           vault_type = info.delete(:type)
           Aspera.assert_values(vault_type, LIST.map(&:to_s)){'vault.type'}

data/lib/aspera/keychain/macos_security.rb

@@ -49,7 +49,7 @@ module Aspera
               options[:path] = uri.path unless ['', '/'].include?(uri.path)
               options[:port] = uri.port unless uri.port.eql?(443) && !url.include?(':443/')
             end
-            command_args = [command]
+            command_args = [SECURITY_UTILITY, command]
             options&.each do |k, v|
               Aspera.assert(supported.key?(k)){"unknown option: #{k}"}
               next if v.nil?
@@ -57,7 +57,7 @@ module Aspera
               command_args.push(v.shellescape) unless v.empty?
             end
             command_args.push(last_opt) unless last_opt.nil?
-            return Environment.secure_capture(exec: SECURITY_UTILITY, args: command_args)
+            return Environment.secure_execute(*command_args, mode: :capture)
           end
 
           def key_chains(output)

data/lib/aspera/log.rb

@@ -81,8 +81,9 @@ module Aspera
       # @param object [Hash, nil]       Data to dump
       # @param level  [Symbol]          Debug level
       # @param block  [Proc, nil]       Give computed object
-      def dump(name, object = nil, level: :debug)
+      def dump(name, object = nil, level: :debug, &block)
         return unless instance.logger.send(:"#{level}?")
+        Aspera.assert(object.nil? || block.nil?){'Use either object, or block, not both'}
         object = yield if block_given?
         instance.logger.send(level, obj_dump(name, object))
       end

data/lib/aspera/markdown.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aspera
+  # Formatting for Markdown
+  class Markdown
+    # Matches: **bold**, `code`, or an HTML entity (&, ©, 💩)
+    FORMATS = /(?:\*\*(?<bold>[^*]+?)\*\*)|(?:`(?<code>[^`]+)`)|&(?<entity>(?:[A-Za-z][A-Za-z0-9]{1,31}|#\d{1,7}|#x[0-9A-Fa-f]{1,6}));/m
+    HTML_BREAK = '<br/>'
+
+    class << self
+      # Generate markdown from the provided 2D table
+      def table(table)
+        # get max width of each columns
+        col_widths = table.transpose.map do |col|
+          [col.flat_map{ |c| c.to_s.delete('`').split(HTML_BREAK).map(&:size)}.max, 80].min
+        end
+        headings = table.shift
+        table.unshift(col_widths.map{ |col_width| '-' * col_width})
+        table.unshift(headings)
+        lines = table.map{ |line| "| #{line.map{ |i| i.to_s.gsub('\\', '\\\\').gsub('|', '\|')}.join(' | ')} |\n"}
+        lines[1] = lines[1].tr(' ', '-')
+        return lines.join.chomp
+      end
+
+      # Generate markdown list from the provided list
+      def list(items)
+        items.map{ |i| "- #{i}"}.join("\n")
+      end
+    end
+  end
+end

data/lib/aspera/nagios.rb

@@ -21,7 +21,7 @@ module Aspera
     end
 
     class << self
-      # process results of a analysis and display status and exit with code
+      # Process results of a analysis and display status and exit with code
       def process(data)
         Aspera.assert_type(data, Array)
         Aspera.assert(!data.empty?){'data is empty'}
@@ -54,7 +54,7 @@ module Aspera
       @data = []
     end
 
-    # compare remote time with local time
+    # Compare remote time with local time
     def check_time_offset(remote_date, component)
       # check date if specified : 2015-10-13T07:32:01Z
       remote_time = Time.parse(remote_date)
@@ -76,10 +76,11 @@ module Aspera
       # TODO: check on database if latest version
     end
 
-    # translate for display
-    def result
+    # Readable status list
+    # @return [Array] of Hash
+    def status_list
       Aspera.assert(!@data.empty?){'missing result'}
-      {type: :object_list, data: @data.map{ |i| {'status' => LEVELS[i[:code]].to_s, 'component' => i[:comp], 'message' => i[:msg]}}}
+      @data.map{ |i| {'status' => LEVELS[i[:code]].to_s, 'component' => i[:comp], 'message' => i[:msg]}}
     end
   end
 end

data/lib/aspera/oauth/base.rb

@@ -14,83 +14,58 @@ module Aspera
     # Bearer Token Usage: https://tools.ietf.org/html/rfc6750
     class Base
       Aspera.require_method!(:create_token)
-      # @param **             Parameters for REST
-      # @param client_id      [String, nil]
-      # @param client_secret  [String, nil]
-      # @param scope          [String, nil]
-      # @param use_query      [bool]        Provide parameters in query instead of body
-      # @param path_token     [String]      API end point to create a token from base URL
-      # @param token_field    [String]      Field in result that contains the token
-      # @param cache_ids      [Array, nil]  List of unique identifiers for cache id generation
+      # @param params         [Hash]    Parameters for token creation (client_id, client_secret, scope, etc...)
+      # @param use_query      [Boolean] Provide parameters in query instead of body
+      # @param path_token     [String]  API end point to create a token from base URL
+      # @param token_field    [String]  Field in result that contains the token
+      # @param cache_ids      [Array]   List of unique identifiers for cache id generation
+      # @param **rest_params  [Hash]    Parameters for REST
       def initialize(
-        client_id: nil,
-        client_secret: nil,
-        scope: nil,
+        params: {},
         use_query: false,
         path_token:  'token',
         token_field: Factory::TOKEN_FIELD,
-        cache_ids: nil,
+        cache_ids: [],
         **rest_params
       )
+        Aspera.assert_type(params, Hash)
+        Aspera.assert_type(cache_ids, Array)
         # This is the OAuth API
         @api = Rest.new(**rest_params)
-        @scope = nil
-        @token_cache_id = nil
+        @params = params.dup.freeze
         @path_token = path_token
         @token_field = token_field
-        @client_id = client_id
-        @client_secret = client_secret
         @use_query = use_query
-        @base_cache_ids = cache_ids.nil? ? [] : cache_ids.clone
-        Aspera.assert_type(@base_cache_ids, Array)
-        # TODO: this shall be done in class, using cache_ids
-        @base_cache_ids.push(@api.auth_params[:username]) if @api.auth_params.key?(:username)
-        @base_cache_ids.compact!
-        @base_cache_ids.freeze
-        self.scope = scope
+        # TODO: :username and :scope shall be done in class, using cache_ids
+        @token_cache_id = Factory.cache_id(@api.base_url, self.class, cache_ids, rest_params[:username], @params[:scope])
       end
 
-      # Scope can be modified after creation, then update identifier for cache
-      def scope=(scope)
-        @scope = scope
-        # generate token unique identifier for persistency (memory/disk cache)
-        @token_cache_id = Factory.cache_id(@api.base_url, self.class, @base_cache_ids, @scope)
-      end
-
-      attr_reader :scope, :api, :path_token, :client_id
+      # The OAuth API Object
+      attr_reader :api
+      # Sub path to generate token
+      attr_reader :path_token
+      # Parameters to generate token
+      attr_reader :params
 
-      # helper method to create token as per RFC
+      # Helper method to create token as per RFC
+      # @return [HTTPResponse]
+      # @raise RestError if not 2XX code
       def create_token_call(creation_params)
         Log.log.debug{'Generating a new token'.bg_green}
-        payload = if @use_query
-          {
-            query: creation_params
-          }
-        else
-          {
-            content_type: Rest::MIME_WWW,
-            body:         creation_params
-          }
-        end
-        return @api.call(
-          operation: 'POST',
-          subpath:   @path_token,
-          headers:   {'Accept' => Rest::MIME_JSON},
-          **payload
-        )
+        return @api.create(@path_token, nil, query: creation_params, ret: :resp) if @use_query
+        return @api.create(@path_token, creation_params, content_type: Rest::MIME_WWW, ret: :resp)
       end
 
+      # Create base parameters for token creation calls
       # @param add_secret [Boolean] Add secret in default call parameters
       # @return [Hash] Optional general parameters
-      def optional_scope_client_id(add_secret: false)
-        call_params = {}
-        call_params[:scope] = @scope unless @scope.nil?
-        call_params[:client_id] = @client_id unless @client_id.nil?
-        call_params[:client_secret] = @client_secret unless !add_secret || @client_id.nil? || @client_secret.nil?
+      def base_params(add_secret: false)
+        call_params = @params.dup
+        call_params.delete(:client_secret) unless add_secret
         return call_params
       end
 
-      # @return value suitable for Authorization header
+      # @return [String] value suitable for Authorization header
       def authorization(**kwargs)
         return OAuth::Factory.bearer_authorization(token(**kwargs))
       end
@@ -122,17 +97,18 @@ module Aspera
             Factory.instance.persist_mgr.delete(@token_cache_id)
             token_data = nil
             # lets try the existing refresh token
+            # NOTE: AoC admin token has no refresh, and lives by default 1800secs
             if !refresh_token.nil?
-              Log.log.info{"refresh=[#{refresh_token}]".bg_green}
-              # NOTE: AoC admin token has no refresh, and lives by default 1800secs
-              resp = create_token_call(optional_scope_client_id(add_secret: true).merge(grant_type: 'refresh_token', refresh_token: refresh_token))
-              if resp[:http].code.start_with?('2')
-                # save only if success
-                json_data = resp[:http].body
+              Log.log.info{"refresh token=[#{refresh_token}]".bg_green}
+              begin
+                http = create_token_call(base_params(add_secret: true).merge(grant_type: 'refresh_token', refresh_token: refresh_token))
+                # Save only if success
+                json_data = http.body
                 token_data = JSON.parse(json_data)
                 Factory.instance.persist_mgr.put(@token_cache_id, json_data)
-              else
-                Log.log.debug{"refresh failed: #{resp[:http].body}".bg_red}
+              rescue => e
+                # Refresh token can fail.
+                Log.log.warn{"Refresh failed: #{e}"}
               end
             end
           end
@@ -140,8 +116,9 @@ module Aspera
 
         # no cache, nor refresh: generate a token
         if token_data.nil?
-          resp = create_token
-          json_data = resp[:http].body
+          # Call the method-specific token creation
+          # which returns the result of create_token_call
+          json_data = create_token.body
           token_data = JSON.parse(json_data)
           Factory.instance.persist_mgr.put(@token_cache_id, json_data)
         end

data/lib/aspera/oauth/factory.rb

@@ -36,14 +36,13 @@ module Aspera
           return authorization[SPACE_BEARER_AUTH_SCHEME.length..-1]
         end
 
+        # Generate a unique cache id for a token creator
+        # @param url           [String] Base URL of the OAuth server
+        # @param creator_class [Class]  Class of the token creator
+        # @param params        [Array]  List of parameters (can be nested) to uniquely identify the token
         # @return a unique cache identifier
         def cache_id(url, creator_class, *params)
-          return IdGenerator.from_list([
-            PERSIST_CATEGORY_TOKEN,
-            url,
-            Factory.class_to_id(creator_class)
-          ] +
-            params)
+          return IdGenerator.from_list(PERSIST_CATEGORY_TOKEN, url, Factory.class_to_id(creator_class), params)
         end
 
         # @return snake version of class name
@@ -156,7 +155,7 @@ module Aspera
       def register_token_creator(creator_class)
         Aspera.assert_type(creator_class, Class)
         id = Factory.class_to_id(creator_class)
-        Log.log.debug{"registering token creator #{id}"}
+        Log.log.debug{"registering creator for #{id}"}
         @token_type_classes[id] = creator_class
       end
 

data/lib/aspera/oauth/generic.rb

@@ -23,7 +23,7 @@ module Aspera
       end
 
       def create_token
-        return create_token_call(optional_scope_client_id.merge(@create_params))
+        return create_token_call(base_params.merge(@create_params))
       end
     end
     Factory.instance.register_token_creator(Generic)

data/lib/aspera/oauth/jwt.rb

@@ -61,7 +61,7 @@ module Aspera
         Log.log.debug{"private=[#{@private_key_obj}]"}
         assertion = JWT.encode(jwt_payload, @private_key_obj, 'RS256', @headers)
         Log.log.debug{"assertion=[#{assertion}]"}
-        return create_token_call(optional_scope_client_id.merge(grant_type: GRANT_TYPE, assertion: assertion))
+        return create_token_call(base_params.merge(grant_type: GRANT_TYPE, assertion: assertion))
       end
     end
     Factory.instance.register_token_creator(Jwt)

data/lib/aspera/oauth/url_json.rb

@@ -6,8 +6,9 @@ module Aspera
   module OAuth
     # This class is used to create a token using a JSON body and a URL
     class UrlJson < Base
-      # @param url  URL to send the JSON body
-      # @param json JSON body to send
+      # @param url  [Hash] Query parameters to send
+      # @param json [Hash] Body parameters to send as JSON
+      # @param generic_params [Hash] Generic parameters for OAuth::Base
       def initialize(
         url:,
         json:,
@@ -22,10 +23,11 @@ module Aspera
         api.call(
           operation:    'POST',
           subpath:      path_token,
-          query:        @query.merge(scope: scope), # scope is here because it may change over time (node)
+          query:        @query.merge(scope: params[:scope]), # scope is here because it may change over time (node)
           content_type: Rest::MIME_JSON,
           body:         @body,
-          headers:      {'Accept' => Rest::MIME_JSON}
+          headers:      {'Accept' => Rest::MIME_JSON},
+          ret:          :resp
         )
       end
     end

data/lib/aspera/oauth/web.rb

@@ -32,7 +32,7 @@ module Aspera
         random_state = SecureRandom.uuid
         login_page_url = Rest.build_uri(
           "#{api.base_url}/#{@path_authorize}",
-          optional_scope_client_id.merge(response_type: 'code', redirect_uri: @redirect_uri, state: random_state)
+          base_params.merge(response_type: 'code', redirect_uri: @redirect_uri, state: random_state)
         )
         # here, we need a human to authorize on a web page
         Log.log.info{"login_page_url=#{login_page_url}".bg_red.gray}
@@ -44,7 +44,7 @@ module Aspera
         received_params = web_server.received_request
         Aspera.assert(random_state.eql?(received_params['state'])){'wrong received state'}
         # exchange code for token
-        return create_token_call(optional_scope_client_id(add_secret: true).merge(
+        return create_token_call(base_params(add_secret: true).merge(
           grant_type:   'authorization_code',
           code:         received_params['code'],
           redirect_uri: @redirect_uri