Fix issues of unhandled OAUTH_ERROR in oauth accept/reject endpoint

Author: deepjyoti30-st

lib/build/recipe/oauth2provider/api/utils.d.ts

@@ -1,7 +1,7 @@
 // @ts-nocheck
 import { UserContext } from "../../../types";
 import { SessionContainerInterface } from "../../session/types";
-import { ErrorOAuth2, RecipeInterface } from "../types";
+import { ErrorOAuth2, RecipeInterface, OauthError } from "../types";
 export declare function loginGET({
     recipeImplementation,
     loginChallenge,
@@ -20,6 +20,7 @@ export declare function loginGET({
     isDirectCall: boolean;
 }): Promise<
     | ErrorOAuth2
+    | OauthError
     | {
           status: string;
           redirectTo: string;
@@ -54,6 +55,7 @@ export declare function handleLoginInternalRedirects({
           cookies?: string[];
       }
     | ErrorOAuth2
+    | OauthError
 >;
 export declare function handleLogoutInternalRedirects({
     response,

lib/build/recipe/oauth2provider/api/utils.js

@@ -58,6 +58,9 @@ async function loginGET({
                     },
                     userContext,
                 });
+                if (reject.status === "OAUTH_ERROR") {
+                    return reject;
+                }
                 return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
             }
             if (maxAgeParsed < 0) {
@@ -70,6 +73,9 @@ async function loginGET({
                     },
                     userContext,
                 });
+                if (reject.status === "OAUTH_ERROR") {
+                    return reject;
+                }
                 return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
             }
         } catch (_c) {
@@ -82,6 +88,9 @@ async function loginGET({
                 },
                 userContext,
             });
+            if (reject.status === "OAUTH_ERROR") {
+                return reject;
+            }
             return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
         }
     }
@@ -101,6 +110,9 @@ async function loginGET({
             identityProviderSessionId: session.getHandle(),
             userContext,
         });
+        if (accept.status === "OAUTH_ERROR") {
+            return accept;
+        }
         return { status: "REDIRECT", redirectTo: accept.redirectTo, cookies: cookies };
     }
     if (shouldTryRefresh && promptParam !== "login") {
@@ -124,6 +136,9 @@ async function loginGET({
             },
             userContext,
         });
+        if (reject.status === "OAUTH_ERROR") {
+            return reject;
+        }
         return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
     }
     return {

lib/build/recipe/oauth2provider/recipeImplementation.js

@@ -128,8 +128,12 @@ function getRecipeInterface(
                 },
                 input.userContext
             );
+            if (resp.status === "OAUTH_ERROR") {
+                return resp;
+            }
             return {
                 redirectTo: getUpdatedRedirectTo(appInfo, resp.redirectTo),
+                status: "OK",
             };
         },
         rejectLoginRequest: async function (input) {
@@ -145,8 +149,12 @@ function getRecipeInterface(
                 },
                 input.userContext
             );
+            if (resp.status === "OAUTH_ERROR") {
+                return resp;
+            }
             return {
                 redirectTo: getUpdatedRedirectTo(appInfo, resp.redirectTo),
+                status: "OK",
             };
         },
         getConsentRequest: async function (input) {

lib/build/recipe/oauth2provider/types.d.ts

@@ -38,6 +38,12 @@ export declare type ErrorOAuth2 = {
     errorDescription: string;
     statusCode?: number;
 };
+export declare type OauthError = {
+    status: "OAUTH_ERROR";
+    error: string;
+    errorDescription: string;
+    statusCode: number;
+};
 export declare type ConsentRequest = {
     acr?: string;
     amr?: string[];
@@ -147,12 +153,20 @@ export declare type RecipeInterface = {
         identityProviderSessionId?: string;
         subject: string;
         userContext: UserContext;
-    }): Promise<{
-        redirectTo: string;
-    }>;
-    rejectLoginRequest(input: { challenge: string; error: ErrorOAuth2; userContext: UserContext }): Promise<{
-        redirectTo: string;
-    }>;
+    }): Promise<
+        | {
+              redirectTo: string;
+              status: "OK";
+          }
+        | OauthError
+    >;
+    rejectLoginRequest(input: { challenge: string; error: ErrorOAuth2; userContext: UserContext }): Promise<
+        | {
+              redirectTo: string;
+              status: "OK";
+          }
+        | OauthError
+    >;
     getOAuth2Client(input: { clientId: string; userContext: UserContext }): Promise<
         | {
               status: "OK";
@@ -356,6 +370,7 @@ export declare type APIInterface = {
                     cookies?: string[];
                 }
               | ErrorOAuth2
+              | OauthError
               | GeneralErrorResponse
           >);
     authGET:
@@ -373,6 +388,7 @@ export declare type APIInterface = {
                     cookies?: string[];
                 }
               | ErrorOAuth2
+              | OauthError
               | GeneralErrorResponse
           >);
     tokenPOST:

lib/ts/core/versions/5.3/schema.d.ts

@@ -9574,11 +9574,13 @@ export interface operations {
                     [name: string]: unknown;
                 };
                 content: {
-                    "application/json": {
-                        status: components["schemas"]["statusOK"];
-                        /** @example {apiDomain}/oauth/login?... */
-                        redirectTo?: string;
-                    };
+                    "application/json":
+                        | {
+                              status: components["schemas"]["statusOK"];
+                              /** @example {apiDomain}/oauth/login?... */
+                              redirectTo?: string;
+                          }
+                        | components["schemas"]["oauthError"];
                 };
             };
             400: components["responses"]["400"];
@@ -9626,11 +9628,13 @@ export interface operations {
                     [name: string]: unknown;
                 };
                 content: {
-                    "application/json": {
-                        status: components["schemas"]["statusOK"];
-                        /** @example {apiDomain}/oauth/login?... */
-                        redirectTo?: string;
-                    };
+                    "application/json":
+                        | {
+                              status: components["schemas"]["statusOK"];
+                              /** @example {apiDomain}/oauth/login?... */
+                              redirectTo?: string;
+                          }
+                        | components["schemas"]["oauthError"];
                 };
             };
             400: components["responses"]["400"];

lib/ts/recipe/oauth2provider/api/utils.ts

@@ -4,7 +4,7 @@ import { DEFAULT_TENANT_ID } from "../../multitenancy/constants";
 import { getSessionInformation } from "../../session";
 import { SessionContainerInterface } from "../../session/types";
 import { AUTH_PATH, LOGIN_PATH, END_SESSION_PATH } from "../constants";
-import { ErrorOAuth2, RecipeInterface } from "../types";
+import { ErrorOAuth2, RecipeInterface, OauthError } from "../types";
 import setCookieParser from "set-cookie-parser";
 
 // API implementation for the loginGET function.
@@ -58,6 +58,11 @@ export async function loginGET({
                     },
                     userContext,
                 });
+
+                if (reject.status === "OAUTH_ERROR") {
+                    return reject;
+                }
+
                 return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
             }
 
@@ -71,6 +76,11 @@ export async function loginGET({
                     },
                     userContext,
                 });
+
+                if (reject.status === "OAUTH_ERROR") {
+                    return reject;
+                }
+
                 return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
             }
         } catch {
@@ -83,6 +93,11 @@ export async function loginGET({
                 },
                 userContext,
             });
+
+            if (reject.status === "OAUTH_ERROR") {
+                return reject;
+            }
+
             return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
         }
     }
@@ -102,6 +117,11 @@ export async function loginGET({
             identityProviderSessionId: session.getHandle(),
             userContext,
         });
+
+        if (accept.status === "OAUTH_ERROR") {
+            return accept;
+        }
+
         return { status: "REDIRECT", redirectTo: accept.redirectTo, cookies: cookies };
     }
 
@@ -126,6 +146,11 @@ export async function loginGET({
             },
             userContext,
         });
+
+        if (reject.status === "OAUTH_ERROR") {
+            return reject;
+        }
+
         return { status: "REDIRECT", redirectTo: reject.redirectTo, cookies };
     }
 
@@ -212,7 +237,7 @@ export async function handleLoginInternalRedirects({
     shouldTryRefresh: boolean;
     cookie?: string;
     userContext: UserContext;
-}): Promise<{ redirectTo: string; cookies?: string[] } | ErrorOAuth2> {
+}): Promise<{ redirectTo: string; cookies?: string[] } | ErrorOAuth2 | OauthError> {
     if (!isLoginInternalRedirect(response.redirectTo)) {
         return response;
     }

lib/ts/recipe/oauth2provider/recipeImplementation.ts

@@ -22,6 +22,7 @@ import {
     ConsentRequest,
     PayloadBuilderFunction,
     UserInfoBuilderFunction,
+    OauthError,
 } from "./types";
 import { OAuth2Client } from "./OAuth2Client";
 import { getUser } from "../..";
@@ -85,7 +86,10 @@ export default function getRecipeInterface(
                 subject: resp.subject,
             };
         },
-        acceptLoginRequest: async function (this: RecipeInterface, input): Promise<{ redirectTo: string }> {
+        acceptLoginRequest: async function (
+            this: RecipeInterface,
+            input
+        ): Promise<{ redirectTo: string; status: "OK" } | OauthError> {
             const resp = await querier.sendPutRequest(
                 "/recipe/oauth/auth/requests/login/accept",
                 {
@@ -102,11 +106,19 @@ export default function getRecipeInterface(
                 input.userContext
             );
 
+            if (resp.status === "OAUTH_ERROR") {
+                return resp;
+            }
+
             return {
                 redirectTo: getUpdatedRedirectTo(appInfo, resp.redirectTo),
+                status: "OK",
             };
         },
-        rejectLoginRequest: async function (this: RecipeInterface, input): Promise<{ redirectTo: string }> {
+        rejectLoginRequest: async function (
+            this: RecipeInterface,
+            input
+        ): Promise<{ redirectTo: string; status: "OK" } | OauthError> {
             const resp = await querier.sendPutRequest(
                 "/recipe/oauth/auth/requests/login/reject",
                 {
@@ -120,8 +132,13 @@ export default function getRecipeInterface(
                 input.userContext
             );
 
+            if (resp.status === "OAUTH_ERROR") {
+                return resp;
+            }
+
             return {
                 redirectTo: getUpdatedRedirectTo(appInfo, resp.redirectTo),
+                status: "OK",
             };
         },
         getConsentRequest: async function (this: RecipeInterface, input): Promise<ConsentRequest> {

lib/ts/recipe/oauth2provider/types.ts

@@ -65,6 +65,21 @@ export type ErrorOAuth2 = {
     statusCode?: number;
 };
 
+export type OauthError = {
+    status: "OAUTH_ERROR";
+
+    // The error should follow the OAuth2 error format (e.g. invalid_request, login_required).
+    // Defaults to request_denied.
+    error: string;
+
+    // Description of the error in a human readable format.
+    errorDescription: string;
+
+    // Represents the HTTP status code of the error (e.g. 401 or 403)
+    // Defaults to 400
+    statusCode: number;
+};
+
 export type ConsentRequest = {
     // ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication.
     acr?: string;
@@ -242,12 +257,12 @@ export type RecipeInterface = {
         // Subject is the user ID of the end-user that authenticated.
         subject: string;
         userContext: UserContext;
-    }): Promise<{ redirectTo: string }>;
+    }): Promise<{ redirectTo: string; status: "OK" } | OauthError>;
     rejectLoginRequest(input: {
         challenge: string;
         error: ErrorOAuth2;
         userContext: UserContext;
-    }): Promise<{ redirectTo: string }>;
+    }): Promise<{ redirectTo: string; status: "OK" } | OauthError>;
 
     getOAuth2Client(input: { clientId: string; userContext: UserContext }): Promise<
         | {
@@ -425,7 +440,9 @@ export type APIInterface = {
               session?: SessionContainerInterface;
               shouldTryRefresh: boolean;
               userContext: UserContext;
-          }) => Promise<{ frontendRedirectTo: string; cookies?: string[] } | ErrorOAuth2 | GeneralErrorResponse>);
+          }) => Promise<
+              { frontendRedirectTo: string; cookies?: string[] } | ErrorOAuth2 | OauthError | GeneralErrorResponse
+          >);
 
     authGET:
         | undefined
@@ -436,7 +453,7 @@ export type APIInterface = {
               shouldTryRefresh: boolean;
               options: APIOptions;
               userContext: UserContext;
-          }) => Promise<{ redirectTo: string; cookies?: string[] } | ErrorOAuth2 | GeneralErrorResponse>);
+          }) => Promise<{ redirectTo: string; cookies?: string[] } | ErrorOAuth2 | OauthError | GeneralErrorResponse>);
     tokenPOST:
         | undefined
         | ((input: {