fail gracefully in the absence of an oauth session

closes FOO-1462 flag=none TEST PLAN: 1) hit the deny endpoint with no session info 2) you should get a 400, not a 500 Change-Id: I0cf286e283bdad12c9bd65a6a53b8bd052a3d3ef Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256669 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> QA-Review: Ethan Vizitei <evizitei@instructure.com> Product-Review: Ethan Vizitei <evizitei@instructure.com>
2021-01-13 14:36:52 -06:00 · 2021-01-13 14:36:52 -06:00 · 953d36b70f
parent 5db8cabc8c
commit 953d36b70f
2 changed files with 7 additions and 1 deletions
--- a/app/controllers/oauth2_provider_controller.rb
+++ b/app/controllers/oauth2_provider_controller.rb
@ -92,6 +92,7 @@ class Oauth2ProviderController < ApplicationController
  end

  def deny
+    return render plain: t("Invalid or missing session for oauth"), status: 400 unless session[:oauth2]
    params = { error: "access_denied" }
    params[:state] = session[:oauth2][:state] if session[:oauth2].key? :state
    redirect_to Canvas::Oauth::Provider.final_redirect(self, params)
--- a/spec/controllers/oauth2_provider_controller_spec.rb
+++ b/spec/controllers/oauth2_provider_controller_spec.rb
@ -724,6 +724,11 @@ describe Oauth2ProviderController do
      expect(response).to be_redirect
      expect(response.location).not_to match(/state=/)
    end
+
+    it "doesn't error on an empty session" do
+      get 'deny', session: {}
+      expect(response).to be_bad_request
+    end
  end

  describe 'DELETE token' do
@ -789,4 +794,4 @@ describe Oauth2ProviderController do
      end
    end
  end
-end
+end