fail gracefully in the absence of an oauth session
closes FOO-1462 flag=none TEST PLAN: 1) hit the deny endpoint with no session info 2) you should get a 400, not a 500 Change-Id: I0cf286e283bdad12c9bd65a6a53b8bd052a3d3ef Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/256669 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> QA-Review: Ethan Vizitei <evizitei@instructure.com> Product-Review: Ethan Vizitei <evizitei@instructure.com>
This commit is contained in:
parent
5db8cabc8c
commit
953d36b70f
|
@ -92,6 +92,7 @@ class Oauth2ProviderController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def deny
|
def deny
|
||||||
|
return render plain: t("Invalid or missing session for oauth"), status: 400 unless session[:oauth2]
|
||||||
params = { error: "access_denied" }
|
params = { error: "access_denied" }
|
||||||
params[:state] = session[:oauth2][:state] if session[:oauth2].key? :state
|
params[:state] = session[:oauth2][:state] if session[:oauth2].key? :state
|
||||||
redirect_to Canvas::Oauth::Provider.final_redirect(self, params)
|
redirect_to Canvas::Oauth::Provider.final_redirect(self, params)
|
||||||
|
|
|
@ -724,6 +724,11 @@ describe Oauth2ProviderController do
|
||||||
expect(response).to be_redirect
|
expect(response).to be_redirect
|
||||||
expect(response.location).not_to match(/state=/)
|
expect(response.location).not_to match(/state=/)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "doesn't error on an empty session" do
|
||||||
|
get 'deny', session: {}
|
||||||
|
expect(response).to be_bad_request
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'DELETE token' do
|
describe 'DELETE token' do
|
||||||
|
|
Loading…
Reference in New Issue