From 5a95a6913fbf13301c57b718ce7f4ad6021df94f Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Tue, 14 May 2024 17:59:23 +0800
Subject: [PATCH 1/5] support access_denied

---
 routers/web/auth/oauth.go      | 10 ++++++++++
 services/forms/user_form.go    |  1 +
 templates/user/auth/grant.tmpl |  9 +++++++--
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 354e70bcbfff7..37e14c6e1a506 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -536,6 +536,16 @@ func AuthorizeOAuth(ctx *context.Context) {
 // GrantApplicationOAuth manages the post request submitted when a user grants access to an application
 func GrantApplicationOAuth(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.GrantApplicationForm)
+
+	if !form.Granted {
+		handleAuthorizeError(ctx, AuthorizeError{
+			State:            ctx.Session.Get("state").(string),
+			ErrorDescription: "user denied the request",
+			ErrorCode:        ErrorCodeAccessDenied,
+		}, ctx.Session.Get("redirect_uri").(string))
+		return
+	}
+
 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
 		ctx.Session.Get("redirect_uri") != form.RedirectURI {
 		ctx.Error(http.StatusBadRequest)
diff --git a/services/forms/user_form.go b/services/forms/user_form.go
index 418a87b863d96..b4be1e02b76b5 100644
--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@@ -161,6 +161,7 @@ func (f *AuthorizationForm) Validate(req *http.Request, errs binding.Errors) bin
 // GrantApplicationForm form for authorizing oauth2 clients
 type GrantApplicationForm struct {
 	ClientID    string `binding:"Required"`
+	Granted     bool
 	RedirectURI string
 	State       string
 	Scope       string
diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl
index cb9bba874921a..c2cb3530cc279 100644
--- a/templates/user/auth/grant.tmpl
+++ b/templates/user/auth/grant.tmpl
@@ -16,15 +16,20 @@
 				<p>{{ctx.Locale.Tr "auth.authorize_redirect_notice" .ApplicationRedirectDomainHTML}}</p>
 			</div>
 			<div class="ui attached segment">
-				<form method="post" action="{{AppSubUrl}}/login/oauth/grant">
+				<form class="tw-inline-block" method="post" action="{{AppSubUrl}}/login/oauth/grant">
 					{{.CsrfTokenHtml}}
 					<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
+					<input type="hidden" name="granted" value="true">
 					<input type="hidden" name="state" value="{{.State}}">
 					<input type="hidden" name="scope" value="{{.Scope}}">
 					<input type="hidden" name="nonce" value="{{.Nonce}}">
 					<input type="hidden" name="redirect_uri" value="{{.RedirectURI}}">
 					<button type="submit" id="authorize-app" value="{{ctx.Locale.Tr "auth.authorize_application"}}" class="ui red inline button">{{ctx.Locale.Tr "auth.authorize_application"}}</button>
-					<a href="{{.RedirectURI}}" class="ui basic primary inline button">Cancel</a>
+				</form>
+				<form class="tw-inline-block" method="post" action="{{AppSubUrl}}/login/oauth/grant">
+					{{.CsrfTokenHtml}}
+					<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
+					<button type="submit" class="ui basic primary inline button">{{ctx.Locale.Tr "cancel"}}</button>
 				</form>
 			</div>
 		</div>

From d8461517c5e258dd61f718d058d5196c41b92a49 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Tue, 14 May 2024 18:09:29 +0800
Subject: [PATCH 2/5] update desc

---
 routers/web/auth/oauth.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 37e14c6e1a506..a5a7b3e319818 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -540,7 +540,7 @@ func GrantApplicationOAuth(ctx *context.Context) {
 	if !form.Granted {
 		handleAuthorizeError(ctx, AuthorizeError{
 			State:            ctx.Session.Get("state").(string),
-			ErrorDescription: "user denied the request",
+			ErrorDescription: "the request is denied",
 			ErrorCode:        ErrorCodeAccessDenied,
 		}, ctx.Session.Get("redirect_uri").(string))
 		return

From 5e217e12811d8e80b60aa89c7fc947019546b0d8 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Wed, 15 May 2024 09:29:04 +0800
Subject: [PATCH 3/5] fix

---
 routers/web/auth/oauth.go      | 14 +++++++-------
 templates/user/auth/grant.tmpl |  2 ++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index a5a7b3e319818..84fa4730441f1 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -536,21 +536,21 @@ func AuthorizeOAuth(ctx *context.Context) {
 // GrantApplicationOAuth manages the post request submitted when a user grants access to an application
 func GrantApplicationOAuth(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.GrantApplicationForm)
+	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
+		ctx.Session.Get("redirect_uri") != form.RedirectURI {
+		ctx.Error(http.StatusBadRequest)
+		return
+	}
 
 	if !form.Granted {
 		handleAuthorizeError(ctx, AuthorizeError{
-			State:            ctx.Session.Get("state").(string),
+			State:            form.State,
 			ErrorDescription: "the request is denied",
 			ErrorCode:        ErrorCodeAccessDenied,
-		}, ctx.Session.Get("redirect_uri").(string))
+		}, form.RedirectURI)
 		return
 	}
 
-	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
-		ctx.Session.Get("redirect_uri") != form.RedirectURI {
-		ctx.Error(http.StatusBadRequest)
-		return
-	}
 	app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID)
 	if err != nil {
 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)
diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl
index c2cb3530cc279..07d24339880d3 100644
--- a/templates/user/auth/grant.tmpl
+++ b/templates/user/auth/grant.tmpl
@@ -29,6 +29,8 @@
 				<form class="tw-inline-block" method="post" action="{{AppSubUrl}}/login/oauth/grant">
 					{{.CsrfTokenHtml}}
 					<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
+					<input type="hidden" name="state" value="{{.State}}">
+					<input type="hidden" name="redirect_uri" value="{{.RedirectURI}}">
 					<button type="submit" class="ui basic primary inline button">{{ctx.Locale.Tr "cancel"}}</button>
 				</form>
 			</div>

From 85b76d0d4c70bc7ee8470faddcd5ffb88fe0d6a4 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Wed, 15 May 2024 10:55:44 +0800
Subject: [PATCH 4/5] improve the template

---
 templates/user/auth/grant.tmpl | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl
index 07d24339880d3..28f28589c35a5 100644
--- a/templates/user/auth/grant.tmpl
+++ b/templates/user/auth/grant.tmpl
@@ -16,22 +16,15 @@
 				<p>{{ctx.Locale.Tr "auth.authorize_redirect_notice" .ApplicationRedirectDomainHTML}}</p>
 			</div>
 			<div class="ui attached segment">
-				<form class="tw-inline-block" method="post" action="{{AppSubUrl}}/login/oauth/grant">
+				<form method="post" action="{{AppSubUrl}}/login/oauth/grant">
 					{{.CsrfTokenHtml}}
 					<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
-					<input type="hidden" name="granted" value="true">
 					<input type="hidden" name="state" value="{{.State}}">
 					<input type="hidden" name="scope" value="{{.Scope}}">
 					<input type="hidden" name="nonce" value="{{.Nonce}}">
 					<input type="hidden" name="redirect_uri" value="{{.RedirectURI}}">
-					<button type="submit" id="authorize-app" value="{{ctx.Locale.Tr "auth.authorize_application"}}" class="ui red inline button">{{ctx.Locale.Tr "auth.authorize_application"}}</button>
-				</form>
-				<form class="tw-inline-block" method="post" action="{{AppSubUrl}}/login/oauth/grant">
-					{{.CsrfTokenHtml}}
-					<input type="hidden" name="client_id" value="{{.Application.ClientID}}">
-					<input type="hidden" name="state" value="{{.State}}">
-					<input type="hidden" name="redirect_uri" value="{{.RedirectURI}}">
-					<button type="submit" class="ui basic primary inline button">{{ctx.Locale.Tr "cancel"}}</button>
+					<button type="submit" name="granted" value="true" class="ui red inline button">{{ctx.Locale.Tr "auth.authorize_application"}}</button>
+					<button type="submit" name="granted" value="false" class="ui basic primary inline button">{{ctx.Locale.Tr "cancel"}}</button>
 				</form>
 			</div>
 		</div>

From 248727933c12505663e2ab8b1537b414e5c69fc5 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Wed, 15 May 2024 11:10:02 +0800
Subject: [PATCH 5/5] add the id back

---
 templates/user/auth/grant.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl
index 28f28589c35a5..a18a3bd27a23c 100644
--- a/templates/user/auth/grant.tmpl
+++ b/templates/user/auth/grant.tmpl
@@ -23,7 +23,7 @@
 					<input type="hidden" name="scope" value="{{.Scope}}">
 					<input type="hidden" name="nonce" value="{{.Nonce}}">
 					<input type="hidden" name="redirect_uri" value="{{.RedirectURI}}">
-					<button type="submit" name="granted" value="true" class="ui red inline button">{{ctx.Locale.Tr "auth.authorize_application"}}</button>
+					<button type="submit" id="authorize-app" name="granted" value="true" class="ui red inline button">{{ctx.Locale.Tr "auth.authorize_application"}}</button>
 					<button type="submit" name="granted" value="false" class="ui basic primary inline button">{{ctx.Locale.Tr "cancel"}}</button>
 				</form>
 			</div>