Supported state in case of denial

lib/handlers/authorize-handler.js

@@ -96,6 +96,12 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       let ResponseType;
 
       return Promise.bind(this)
+        .then(function() {
+          state = this.getState(request);
+          if(request.query.allowed === 'false') {
+            throw new AccessDeniedError('Access denied: user denied access to application');
+          }
+        })
         .then(function() {
           const requestedScope = this.getScope(request);
 
@@ -107,7 +113,6 @@ AuthorizeHandler.prototype.handle = function(request, response) {
           return this.generateAuthorizationCode(client, user, scope);
         })
         .then(function(authorizationCode) {
-          state = this.getState(request);
           ResponseType = this.getResponseType(request);
 
           return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);

test/integration/handlers/authorize-handler_test.js

@@ -161,12 +161,33 @@ describe('AuthorizeHandler integration', function() {
 
     it('should throw an error if `allowed` is `false`', function() {
       const model = {
-        getAccessToken: function() {},
-        getClient: function() {},
-        saveAuthorizationCode: function() {}
+        getAccessToken: function() {
+          return {
+            user: {},
+            accessTokenExpiresAt: new Date(new Date().getTime() + 10000)
+          };
+        },
+        getClient: function() {
+          return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] };
+        },
+        saveAuthorizationCode: function() {
+          throw new Error('Unhandled exception');
+        }
       };
       const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
-      const request = new Request({ body: {}, headers: {}, method: {}, query: { allowed: 'false' } });
+      const request = new Request({
+        body: {
+          client_id: 'test'
+        },
+        headers: {
+          'Authorization': 'Bearer foo'
+        },
+        method: {},
+        query: {
+          allowed: 'false',
+          state: 'foobar'
+        }
+      });
       const response = new Response({ body: {}, headers: {} });
 
       return handler.handle(request, response)
@@ -328,7 +349,7 @@ describe('AuthorizeHandler integration', function() {
       return handler.handle(request, response)
         .then(should.fail)
         .catch(function() {
-          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20parameter%3A%20%60scope%60');
+          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20parameter%3A%20%60scope%60&state=foobar');
         });
     });
 
@@ -416,7 +437,7 @@ describe('AuthorizeHandler integration', function() {
       return handler.handle(request, response)
         .then(should.fail)
         .catch(function() {
-          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20scope%3A%20Requested%20scope%20is%20invalid');
+          response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20scope%3A%20Requested%20scope%20is%20invalid&state=foobar');
         });
     });