fix(handler): deny access when body.allowed is 'false' (#94)

* fix(handler): deny access when body.allowed is 'false'

* fix(authorization): use simplified if-branch to check for body allow value

Author: jankapunkt

lib/handlers/authorize-handler.js

@@ -77,7 +77,7 @@ AuthorizeHandler.prototype.handle = function(request, response) {
     throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response');
   }
 
-  if ('false' === request.query.allowed) {
+  if (request.query.allowed === 'false' || request.body.allowed === 'false') {
     return Promise.reject(new AccessDeniedError('Access denied: user denied access to application'));
   }
 

test/integration/handlers/authorize-handler_test.js

@@ -198,6 +198,24 @@ describe('AuthorizeHandler integration', function() {
         });
     });
 
+    it('should throw an error if `allowed` is `false` body', function() {
+      const model = {
+        getAccessToken: function() {},
+        getClient: function() {},
+        saveAuthorizationCode: function() {}
+      };
+      const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+      const request = new Request({ body: { allowed: 'false' }, headers: {}, method: {}, query: {} });
+      const response = new Response({ body: {}, headers: {} });
+
+      return handler.handle(request, response)
+        .then(should.fail)
+        .catch(function(e) {
+          e.should.be.an.instanceOf(AccessDeniedError);
+          e.message.should.equal('Access denied: user denied access to application');
+        });
+    });
+
     it('should redirect to an error response if a non-oauth error is thrown', function() {
       const model = {
         getAccessToken: function() {