From f1d9f18d96050d89a4085c961f572f07b1e653d1 Mon Sep 17 00:00:00 2001 From: Zettat123 Date: Mon, 20 May 2024 15:17:00 +0800 Subject: [PATCH] Return `access_denied` error when an OAuth2 request is denied (#30974) According to [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), when the resource owner or authorization server denied an request, an `access_denied` error should be returned. But currently in this case Gitea does not return any error. For example, if the user clicks "Cancel" here, an `access_denied` error should be returned. --- routers/web/auth/oauth.go | 10 ++++++++++ services/forms/user_form.go | 1 + templates/user/auth/grant.tmpl | 4 ++-- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index 354e70bcb..84fa47304 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -541,6 +541,16 @@ func GrantApplicationOAuth(ctx *context.Context) { ctx.Error(http.StatusBadRequest) return } + + if !form.Granted { + handleAuthorizeError(ctx, AuthorizeError{ + State: form.State, + ErrorDescription: "the request is denied", + ErrorCode: ErrorCodeAccessDenied, + }, form.RedirectURI) + return + } + app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) if err != nil { ctx.ServerError("GetOAuth2ApplicationByClientID", err) diff --git a/services/forms/user_form.go b/services/forms/user_form.go index 418a87b86..b4be1e02b 100644 --- a/services/forms/user_form.go +++ b/services/forms/user_form.go @@ -161,6 +161,7 @@ func (f *AuthorizationForm) Validate(req *http.Request, errs binding.Errors) bin // GrantApplicationForm form for authorizing oauth2 clients type GrantApplicationForm struct { ClientID string `binding:"Required"` + Granted bool RedirectURI string State string Scope string diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl index cb9bba874..a18a3bd27 100644 --- a/templates/user/auth/grant.tmpl +++ b/templates/user/auth/grant.tmpl @@ -23,8 +23,8 @@ - - Cancel + +