Jl/caip multichain/fix provider request scope object check (#25957)

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

Adds back scope check in provider_request

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/25957?quickstart=1)

## **Related issues**

Fixes:

## **Manual testing steps**

1. Go to this page...
2.
3.

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

app/scripts/lib/multichain-api/provider-request.js

@@ -48,6 +48,10 @@ export async function providerRequestHandler(
     caveat.value.optionalScopes,
   )[scope];
 
+  if (!scopeObject) {
+    return end(new Error('unauthorized (missing scope)'));
+  }
+
   if (!scopeObject.methods.includes(wrappedRequest.method)) {
     return end(new Error('unauthorized (method missing in scopeObject)'));
   }

app/scripts/lib/multichain-api/provider-request.test.js

@@ -89,6 +89,20 @@ describe('provider_request', () => {
     expect(end).toHaveBeenCalledWith(new Error('missing CAIP-25 endowment'));
   });
 
+  it('throws an error if the requested scope is not authorized', async () => {
+    const request = createMockedRequest();
+    const { handler, end } = createMockedHandler();
+
+    await handler({
+      ...request,
+      params: {
+        ...request.params,
+        scope: 'eip155:999',
+      },
+    });
+    expect(end).toHaveBeenCalledWith(new Error('unauthorized (missing scope)'));
+  });
+
   it('throws an error if the requested scope method is not authorized', async () => {
     const request = createMockedRequest();
     const { handler, end } = createMockedHandler();