From 6f3c25b81a036c652f039e9bdf396c82d0f87ef0 Mon Sep 17 00:00:00 2001
From: Robert Estelle <robert@getpreo.com>
Date: Fri, 9 Feb 2018 19:09:49 -0500
Subject: [PATCH 1/2] Allow empty client_id and client_secret

The OAuth2 spec allows these to be zero or more characters.
https://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-2.3.1
---
 index.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index 74f406b3..f0114761 100644
--- a/index.js
+++ b/index.js
@@ -10,8 +10,8 @@ const optionsSchema = Joi
   .object()
   .keys({
     client: Joi.object().keys({
-      id: Joi.string().required(),
-      secret: Joi.string().required(),
+      id: Joi.string().allow(''),
+      secret: Joi.string().allow(''),
       secretParamName: Joi.string().default('client_secret'),
       idParamName: Joi.string().default('client_id'),
     }).required(),

From 79873bd42b79198ca51510ffa0463baaf0f73bdc Mon Sep 17 00:00:00 2001
From: Robert Estelle <robert@getpreo.com>
Date: Fri, 9 Feb 2018 19:20:26 -0500
Subject: [PATCH 2/2] Restrict client_id and client_secret charsets

The OAuth2 spec allows these to be zero or more visual ASCII characters.
https://tools.ietf.org/html/draft-ietf-oauth-v2-31#appendix-A.1

> VSCHAR = %x20-7E
>
> A.1.  "client_id" Syntax
>    The "client_id" element is defined in Section 2.3.1:
>      client-id     = *VSCHAR
>
> A.2.  "client_secret" Syntax
>    The "client_secret" element is defined in Section 2.3.1:
>      client-secret = *VSCHAR
---
 index.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index f0114761..8449f19e 100644
--- a/index.js
+++ b/index.js
@@ -6,12 +6,15 @@ const passwordModule = require('./lib/client/password');
 const accessTokenModule = require('./lib/client/access-token');
 const clientCredentialsModule = require('./lib/client/client');
 
+// https://tools.ietf.org/html/draft-ietf-oauth-v2-31#appendix-A.1
+const vsCharRegEx = /^[\x20-\x7E]*$/;
+
 const optionsSchema = Joi
   .object()
   .keys({
     client: Joi.object().keys({
-      id: Joi.string().allow(''),
-      secret: Joi.string().allow(''),
+      id: Joi.string().regex(vsCharRegEx).allow(''),
+      secret: Joi.string().regex(vsCharRegEx).allow(''),
       secretParamName: Joi.string().default('client_secret'),
       idParamName: Joi.string().default('client_id'),
     }).required(),