fix(validation): Restrict characters allowed in 'scope' parameter.

lib/routes/authorization.js

@@ -103,8 +103,7 @@ module.exports = {
         .required(),
       redirect_uri: Joi.string()
         .max(256),
-      scope: Joi.string()
-        .max(256),
+      scope: validators.scope,
       response_type: Joi.string()
         .valid(CODE, TOKEN)
         .default(CODE),

lib/routes/token.js

@@ -68,7 +68,7 @@ const PAYLOAD_SCHEMA = Joi.object({
 
   scope: Joi.alternatives().when('grant_type', {
     is: GRANT_REFRESH_TOKEN,
-    then: Joi.string(),
+    then: validators.scope,
     otherwise: Joi.forbidden()
   }),
 
@@ -132,7 +132,7 @@ module.exports = {
       access_token: validators.token.required(),
       refresh_token: validators.token,
       id_token: validators.assertion,
-      scope: Joi.string().required().allow(''),
+      scope: validators.scope.required().allow(''),
       token_type: Joi.string().valid('bearer').required(),
       expires_in: Joi.number().max(MAX_TTL_S).required(),
       auth_at: Joi.number(),

lib/validators.js

@@ -22,6 +22,10 @@ exports.token = Joi.string()
   .length(config.get('unique.token') * 2)
   .regex(exports.HEX_STRING);
 
+exports.scope = Joi.string()
+  .max(256)
+  .regex(/^[a-zA-Z0-9 _:]+$/);
+
 // taken from mozilla/persona/lib/validate.js
 exports.assertion = Joi.string()
   .min(50)

test/api.js

@@ -500,6 +500,17 @@ describe('/v1', function() {
           assert(res.result.redirect);
         }).done(done, done);
       });
+      it('is restricted to expected characters', function(done) {
+        mockAssertion().reply(200, VERIFY_GOOD);
+        Server.api.post({
+          url: '/authorization',
+          payload: authParams({
+            scope: 'profile:\u2603'
+          })
+        }).then(function(res) {
+          assert.equal(res.statusCode, 400);
+        }).done(done, done);
+      });
     });
 
     describe('?response_type', function() {