Skip to content

Return access_denied error when an OAuth2 request is denied#30974

Merged
lunny merged 10 commits into
go-gitea:mainfrom
Zettat123:oauth2-access-denied-error
May 20, 2024
Merged

Return access_denied error when an OAuth2 request is denied#30974
lunny merged 10 commits into
go-gitea:mainfrom
Zettat123:oauth2-access-denied-error

Conversation

@Zettat123
Copy link
Copy Markdown
Contributor

@Zettat123 Zettat123 commented May 14, 2024
edited
Loading

According to RFC 6749, when the resource owner or authorization server denied an request, an access_denied error should be returned. But currently in this case Gitea does not return any error.

For example, if the user clicks "Cancel" here, an access_denied error should be returned.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 14, 2024
wxiaoguang
wxiaoguang reviewed May 14, 2024
View reviewed changes
Comment thread routers/web/auth/oauth.go Outdated
wxiaoguang
wxiaoguang reviewed May 14, 2024
View reviewed changes
Comment thread routers/web/auth/oauth.go
wxiaoguang
wxiaoguang reviewed May 15, 2024
View reviewed changes
Comment thread templates/user/auth/grant.tmpl Outdated
wxiaoguang
wxiaoguang approved these changes May 15, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@wxiaoguang wxiaoguang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.

I guess the tests would fail because the id is used by htmlDoc.AssertElement(t, "#authorize-app", true), it can't be removed.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 15, 2024
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 20, 2024
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label May 20, 2024
@lunny lunny enabled auto-merge (squash) May 20, 2024 07:02
@lunny lunny merged commit f1d9f18 into go-gitea:main May 20, 2024
@GiteaBot GiteaBot added this to the 1.23.0 milestone May 20, 2024
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request May 20, 2024
@Zettat123 @GiteaBot
Return access_denied error when an OAuth2 request is denied (go-git…
e7cbf2b 
…ea#30974)

According to [RFC
6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1),
when the resource owner or authorization server denied an request, an
`access_denied` error should be returned. But currently in this case
Gitea does not return any error.

For example, if the user clicks "Cancel" here, an `access_denied` error
should be returned.

<img width="360px"
src="https://github.com/go-gitea/gitea/assets/15528715/be31c09b-4c0a-4701-b7a4-f54b8fe3a6c5"
/>
@GiteaBot GiteaBot mentioned this pull request May 20, 2024
Merged
@GiteaBot GiteaBot added backport/done All backports for this PR have been created and removed reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels May 20, 2024
wxiaoguang pushed a commit that referenced this pull request May 20, 2024
@GiteaBot @Zettat123 @KN4CK3R
Return access_denied error when an OAuth2 request is denied (#30974) (
8a259e5 
#31029)

Backport #30974 by Zettat123

Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
zjjhot added a commit to zjjhot/gitea that referenced this pull request May 21, 2024
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
d07ae65 
* giteaofficial/main:
  Don't include link of deleted branch when listing branches (go-gitea#31028)
  [skip ci] Updated translations via Crowdin
  Refactor sha1 and time-limited code (go-gitea#31023)
  Return `access_denied` error when an OAuth2 request is denied (go-gitea#30974)
  Avoid 500 panic error when uploading invalid maven package file (go-gitea#31014)
  Fix incorrect "blob excerpt" link when comparing files (go-gitea#31013)
  Fix project column title overflow (go-gitea#31011)
  Fix data-race during testing (go-gitea#30999)
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Aug 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@lunny lunny lunny approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Milestone

1.23.0

Development

Successfully merging this pull request may close these issues.

4 participants

@Zettat123 @lunny @wxiaoguang @GiteaBot