oauthjs · kiebzak · Jan 23, 2018 · Apr 23, 2019
diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js
@@ -78,10 +78,6 @@ AuthorizeHandler.prototype.handle = function(request, response) {
     throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response');
   }
 
-  if ('false' === request.query.allowed) {
-    return Promise.reject(new AccessDeniedError('Access denied: user denied access to application'));
-  }
-
   var fns = [
     this.getAuthorizationCodeLifetime(),
     this.getClient(request),
@@ -97,14 +93,19 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       var ResponseType;
 
       return Promise.bind(this)
-	.then(function() {
+        .then(function() {
           scope = this.getScope(request);
-
-	  return this.generateAuthorizationCode(client, user, scope);
-	})
-        .then(function(authorizationCode) {
           state = this.getState(request);
           ResponseType = this.getResponseType(request);
+        })
+        .then(function() {
+          if ('false' === request.query.allowed) {
+            return Promise.reject(new AccessDeniedError('Access denied: user denied access to application'));
+          }
+
+      	  return this.generateAuthorizationCode(client, user, scope);
+      	})
+        .then(function(authorizationCode) {
 
           return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);
         })

diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js
@@ -159,21 +159,40 @@ describe('AuthorizeHandler integration', function() {
       }
     });
 
-    it('should throw an error if `allowed` is `false`', function() {
+     it('should redirect to an error response if user denied access', function() {
       var model = {
-        getAccessToken: function() {},
-        getClient: function() {},
+        getAccessToken: function() {
+          return {
+            user: {},
+            accessTokenExpiresAt: new Date(new Date().getTime() + 10000)
+          };
+        },
+        getClient: function() {
+          return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] };
+        },
         saveAuthorizationCode: function() {}
       };
       var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
-      var request = new Request({ body: {}, headers: {}, method: {}, query: { allowed: 'false' } });
+      var request = new Request({
+        body: {
+          client_id: 12345,
+          response_type: 'code'
+        },
+        method: {},
+        headers: {
+          'Authorization': 'Bearer foo'
+        },
+        query: {
+          state: 'foobar',
+          allowed: 'false'
+        }
+      });
       var response = new Response({ body: {}, headers: {} });
 
       return handler.handle(request, response)
         .then(should.fail)
-        .catch(function(e) {
-          e.should.be.an.instanceOf(AccessDeniedError);
-          e.message.should.equal('Access denied: user denied access to application');
+        .catch(function() {
+          response.get('location').should.equal('http://example.com/cb?error=access_denied&error_description=Access%20denied%3A%20user%20denied%20access%20to%20application&state=foobar');
         });
     });