From 7233048feafa425f86c7fd07b3ece8adbf6e7acc Mon Sep 17 00:00:00 2001
From: Franck Nijhof <git@frenck.dev>
Date: Thu, 6 Feb 2020 17:00:27 +0100
Subject: [PATCH] Limit OAuth scopes for Netatmo and Home Assistant Cloud
 (#31538)

* Limit OAuth scopes for Netatmo and Home Assistant Cloud

* Fix tests by making order of scopes predictable
---
 .../components/netatmo/config_flow.py         | 34 +++++++++----------
 tests/components/netatmo/test_config_flow.py  |  8 ++---
 2 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/homeassistant/components/netatmo/config_flow.py b/homeassistant/components/netatmo/config_flow.py
index 8f59382dd46..dce87fb7931 100644
--- a/homeassistant/components/netatmo/config_flow.py
+++ b/homeassistant/components/netatmo/config_flow.py
@@ -25,24 +25,22 @@ class NetatmoFlowHandler(
     @property
     def extra_authorize_data(self) -> dict:
         """Extra data that needs to be appended to the authorize url."""
-        return {
-            "scope": (
-                " ".join(
-                    [
-                        "read_station",
-                        "read_camera",
-                        "access_camera",
-                        "write_camera",
-                        "read_presence",
-                        "access_presence",
-                        "read_homecoach",
-                        "read_smokedetector",
-                        "read_thermostat",
-                        "write_thermostat",
-                    ]
-                )
-            )
-        }
+        scopes = [
+            "read_camera",
+            "read_homecoach",
+            "read_presence",
+            "read_smokedetector",
+            "read_station",
+            "read_thermostat",
+            "write_camera",
+            "write_thermostat",
+        ]
+
+        if self.flow_impl.name != "Home Assistant Cloud":
+            scopes.extend(["access_camera", "access_presence"])
+            scopes.sort()
+
+        return {"scope": " ".join(scopes)}
 
     async def async_step_user(self, user_input=None):
         """Handle a flow start."""
diff --git a/tests/components/netatmo/test_config_flow.py b/tests/components/netatmo/test_config_flow.py
index 24aac6dc878..d76578d277c 100644
--- a/tests/components/netatmo/test_config_flow.py
+++ b/tests/components/netatmo/test_config_flow.py
@@ -54,15 +54,15 @@ async def test_full_flow(hass, aiohttp_client, aioclient_mock):
 
     scope = "+".join(
         [
-            "read_station",
-            "read_camera",
             "access_camera",
-            "write_camera",
-            "read_presence",
             "access_presence",
+            "read_camera",
             "read_homecoach",
+            "read_presence",
             "read_smokedetector",
+            "read_station",
             "read_thermostat",
+            "write_camera",
             "write_thermostat",
         ]
     )