Sentry error on invalid scope value

[rfk]

Got this in sentry earlier today:

https://sentry.prod.mozaws.net/operations/oauth-prod/issues/4732207/

Which is throwing on an unexpected value for a short-name scope:

It's good that it threw! But it likely indicates that the upstream validation of the scope value on the incoming request could be tightened up before it hits the parser.

[rfk]

The value was:

Error: Uncaught error: Invalid scope value: back-end

Perhaps being requested by some automated scanner or other security-testing process. We correctly reject this value, but should reject it more cleanly than throwing an exception.

[rfk]

So the validator for the "scope" field is a simple regex: /^[a-zA-Z0-9 _\/.:-]+$/. This regex has to match allowed characters for both url-format scopes (which can contain -) and short-name scopes (which cannot) which is why it's letting the data through to error out in the underlying parser.

The right solution here may be to try to move the ScopeSet.fromString into a custom Hapi validator, rather than having a separate regex validator and then an explicit parsing call.

Anyway, this doesn't seem urgent since the call correctly fails, it could just fail more cleanly.

[rfk]

Migrated to https://github.com/mozilla/fxa-auth-server/issues/2687