fix(handler): deny access when body.allowed is 'false'

jankapunkt · jankapunkt · commit 5e8962df2817 · 2021-11-29T09:38:41.000+01:00
diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js
@@ -77,7 +77,12 @@ AuthorizeHandler.prototype.handle = function(request, response) {
     throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response');
   }
 
-  if ('false' === request.query.allowed) {
+  const notAllowed = [
+    request.query.allowed,
+    request.body.allowed
+  ].some(allowed => 'false' === allowed);
+
+  if (notAllowed) {
     return Promise.reject(new AccessDeniedError('Access denied: user denied access to application'));
   }
 
diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js
@@ -177,6 +177,24 @@ describe('AuthorizeHandler integration', function() {
         });
     });
 
+    it('should throw an error if `allowed` is `false` body', function() {
+      const model = {
+        getAccessToken: function() {},
+        getClient: function() {},
+        saveAuthorizationCode: function() {}
+      };
+      const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+      const request = new Request({ body: { allowed: 'false' }, headers: {}, method: {}, query: {} });
+      const response = new Response({ body: {}, headers: {} });
+
+      return handler.handle(request, response)
+        .then(should.fail)
+        .catch(function(e) {
+          e.should.be.an.instanceOf(AccessDeniedError);
+          e.message.should.equal('Access denied: user denied access to application');
+        });
+    });
+
     it('should redirect to an error response if a non-oauth error is thrown', function() {
       const model = {
         getAccessToken: function() {

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,12 @@ AuthorizeHandler.prototype.handle = function(request, response) {`
`77`	`77`	throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response');
`78`	`78`	`}`
`79`	`79`
`80`		`- if ('false' === request.query.allowed) {`
	`80`	`+ const notAllowed = [`
	`81`	`+ request.query.allowed,`
	`82`	`+ request.body.allowed`
	`83`	`+ ].some(allowed => 'false' === allowed);`
	`84`	`+`
	`85`	`+ if (notAllowed) {`
`81`	`86`	`return Promise.reject(new AccessDeniedError('Access denied: user denied access to application'));`
`82`	`87`	`}`
`83`	`88`