Software `/` code `/` prosody-modules

--- a/mod_http_oauth2/html/consent.html	Fri May 05 00:57:20 2023 +0200
+++ b/mod_http_oauth2/html/consent.html	Fri May 05 01:23:13 2023 +0200
@@ -38,7 +38,10 @@

 	<form method="post">
 		<details><summary>Requested permissions</summary>{scopes#
-			<input class="scope" type="checkbox" id="scope_{idx}" name="scope" value="{item}" checked><label class="scope" for="scope_{idx}">{item}</label>}
+			<input class="scope" type="checkbox" id="scope_{idx}" name="scope" value="{item}" checked><label class="scope" for="scope_{idx}">{item}</label>}{roles&
+			<select name="role">{roles#
+				<option value="{item.name}"{item.selected& selected}>{item.name}</option>}
+			</select>}
 		</details>
 		<input type="hidden" name="user_token" value="{state.user.token}">
 		<button type="submit" name="consent" value="denied">Deny</button>
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri May 05 00:57:20 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri May 05 01:23:13 2023 +0200
@@ -477,7 +477,7 @@
 		end

 		local scope = array():append(form):filter(function(field)
-			return field.name == "scope";
+			return field.name == "scope" or field.name == "role";
 		end):pluck("value"):concat(" ");

 		user.token = form.user_token;
@@ -654,7 +654,20 @@
 		return render_page(templates.login, { state = auth_state, client = client });
 	elseif auth_state.consent == nil then
 		-- Render consent page
-		return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope or "") }, true);
+		local scopes, requested_roles = split_scopes(parse_scopes(params.scope or ""));
+		local default_role = select_role(auth_state.user.username, requested_roles);
+		local roles = array(it.values(usermanager.get_all_roles(module.host))):filter(function(role)
+			return can_assume_role(auth_state.user.username, role.name);
+		end):sort(function(a, b)
+			return (a.priority or 0) < (b.priority or 0)
+		end):map(function(role)
+			return { name = role.name; selected = role.name == default_role };
+		end);
+		if not roles[2] then
+			-- Only one role to choose from, might as well skip the selector
+			roles = nil;
+		end
+		return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes; roles = roles }, true);
 	elseif not auth_state.consent then
 		-- Notify client of rejection
 		return error_response(request, oauth_error("access_denied"));