From 0c330bfae1d7fd730fea96535edf7720f0ec135f Mon Sep 17 00:00:00 2001
From: Darwin Tantuco <dcrtantuco@gmail.com>
Date: Sat, 7 Feb 2026 09:00:32 +0800
Subject: [PATCH] Support configurable OAuth scopes and prompt=consent for
 granular authentication

---
 lib/myob/api/client.rb | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/myob/api/client.rb b/lib/myob/api/client.rb
index bfa1c35..6f5ce53 100644
--- a/lib/myob/api/client.rb
+++ b/lib/myob/api/client.rb
@@ -15,6 +15,7 @@ def initialize(options)
         @consumer             = options[:consumer]
         @access_token         = options[:access_token]
         @refresh_token        = options[:refresh_token]
+        @scope                = options[:scope] || 'CompanyFile'
 
         @client               = OAuth2::Client.new(@consumer[:key], @consumer[:secret], {
           :site          => 'https://secure.myob.com',
@@ -29,7 +30,11 @@ def initialize(options)
       end
 
       def get_access_code_url(params = {})
-        @client.auth_code.authorize_url(params.merge(scope: 'CompanyFile', redirect_uri: @redirect_uri))
+        params = params.dup
+        scope = params.delete(:scope) || @scope
+        url_params = { scope: scope, redirect_uri: @redirect_uri }
+        url_params[:prompt] = 'consent' if params.delete(:force_consent)
+        @client.auth_code.authorize_url(params.merge(url_params))
       end
 
       def get_access_token(access_code)
@@ -95,6 +100,12 @@ def select_company_file(company_file)
         end
       end
 
+      # Set the company file directly using a business_id (GUID) from the OAuth redirect.
+      def set_company_file_from_business_id(business_id)
+        @current_company_file = { :id => business_id, :token => nil }
+        @current_company_file_url = "#{Myob::Api::Model::Base::API_URL}#{business_id}"
+      end
+
       def connection
         if @refresh_token
           @auth_connection ||= OAuth2::AccessToken.new(@client, @access_token, {