Restrict client_id and client_secret charsets

The OAuth2 spec allows these to be zero or more visual ASCII characters. https://tools.ietf.org/html/draft-ietf-oauth-v2-31#appendix-A.1 > VSCHAR = %x20-7E > > A.1. "client_id" Syntax > The "client_id" element is defined in Section 2.3.1: > client-id = *VSCHAR > > A.2. "client_secret" Syntax > The "client_secret" element is defined in Section 2.3.1: > client-secret = *VSCHAR
lelylan · Feb 10, 2018 · 79873bd · 79873bd
1 parent 6f3c25b
commit 79873bd
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/index.js b/index.js
@@ -6,12 +6,15 @@ const passwordModule = require('./lib/client/password');
 const accessTokenModule = require('./lib/client/access-token');
 const clientCredentialsModule = require('./lib/client/client');
 
+// https://tools.ietf.org/html/draft-ietf-oauth-v2-31#appendix-A.1
+const vsCharRegEx = /^[\x20-\x7E]*$/;
+
 const optionsSchema = Joi
   .object()
   .keys({
     client: Joi.object().keys({
-      id: Joi.string().allow(''),
-      secret: Joi.string().allow(''),
+      id: Joi.string().regex(vsCharRegEx).allow(''),
+      secret: Joi.string().regex(vsCharRegEx).allow(''),
       secretParamName: Joi.string().default('client_secret'),
       idParamName: Joi.string().default('client_id'),
     }).required(),