search

Dan6erbond / sk-auth

Authentication library for use with SvelteKit featuring built-in OAuth providers and zero restriction customization!
MIT License
577 stars 70 forks source link

The base Oauth2 callback doesn't account for the user denying access at the provider stage #45

Open colingourlay opened 3 years ago

colingourlay commented 3 years ago

The callback implementation always assumes that the code query param will always exist and can be fed into getTokens, and tokens in turn will exist and be fed into getUserProfile:

https://github.com/Dan6erbond/sk-auth/blob/731eabd893f29df64870beb7ce65282312852da0/src/providers/oauth2.base.ts#L69-L73

In my particular use case, I implemented login with GitHub, but if I choose to cancel, rather than share my account with the app, I'm redirected to /api/auth/callback/github?error=access_denied&error_description=The+user+has+denied+your+application+access.&error_uri=https%3A%2F%2Fdocs.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23access-denied&state=cmVkaXJlY3Q9Lw%3D%3D.

No code param exists, so the callback page 500s. I'm not sure if error and error_description are unique to GitHub, but perhaps we can use them to handle this situation more gracefully?

Dan6erbond commented 2 years ago

Hey there, yes, this is true. SK-Auth is still in development and error-handling is on the TODO. Will keep you updated!