Fix user denial and missing state parameter on error redirect

lib/handlers/authorize-handler.js

@@ -78,10 +78,6 @@ AuthorizeHandler.prototype.handle = function(request, response) {
     throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response');
   }
 
-  if ('false' === request.query.allowed) {
-    return Promise.reject(new AccessDeniedError('Access denied: user denied access to application'));
-  }
-
   var fns = [
     this.getAuthorizationCodeLifetime(),
     this.getClient(request),
@@ -97,6 +93,12 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       var ResponseType;
 
       return Promise.bind(this)
+        .then(function() {
+          state = this.getState(request);
+          if(request.query.allowed === 'false') {
+            throw new AccessDeniedError('Access denied: user denied access to application');
+          }
+        })
         .then(function() {
           var requestedScope = this.getScope(request);
 
@@ -108,9 +110,7 @@ AuthorizeHandler.prototype.handle = function(request, response) {
           return this.generateAuthorizationCode(client, user, scope);
         })
         .then(function(authorizationCode) {
-          state = this.getState(request);
           ResponseType = this.getResponseType(request);
-
           return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);
         })
         .then(function(code) {

test/integration/handlers/authorize-handler_test.js

@@ -161,13 +161,35 @@ describe('AuthorizeHandler integration', function() {
 
     it('should throw an error if `allowed` is `false`', function() {
       var model = {
-        getAccessToken: function() {},
-        getClient: function() {},
-        saveAuthorizationCode: function() {}
+        getAccessToken: function() {
+          return {
+            user: {},
+            accessTokenExpiresAt: new Date(new Date().getTime() + 10000)
+          };
+        },
+        getClient: function() {
+          return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] };
+        },
+        saveAuthorizationCode: function() {
+          throw new Error('Unhandled exception');
+        }
       };
+
       var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
-      var request = new Request({ body: {}, headers: {}, method: {}, query: { allowed: 'false' } });
       var response = new Response({ body: {}, headers: {} });
+      var request = new Request({
+        body: {
+          client_id: 'test'
+        },
+        headers: {
+          'Authorization': 'Bearer foo'
+        },
+        method: {},
+        query: {
+          allowed: 'false',
+          state: 'foobar'
+        }
+      });
 
       return handler.handle(request, response)
         .then(should.fail)
@@ -328,7 +350,7 @@ describe('AuthorizeHandler integration', function() {
       return handler.handle(request, response)
         .then(should.fail)
         .catch(function() {
-          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20parameter%3A%20%60scope%60');
+          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20parameter%3A%20%60scope%60&state=foobar');
         });
     });
 
@@ -416,7 +438,7 @@ describe('AuthorizeHandler integration', function() {
       return handler.handle(request, response)
         .then(should.fail)
         .catch(function() {
-          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20scope%3A%20Requested%20scope%20is%20invalid');
+          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20scope%3A%20Requested%20scope%20is%20invalid&state=foobar');
         });
     });