oauth auth service still called even if grant returns an error

[tjenkinson]

Steps to reproduce

Expected behavior

If grant returns an error like it can here

https://github.com/simov/grant/blob/6e0692dfdd83edbc4ee82629ba0fe8f986d5879d/lib/flow/oauth2.js#L69

then the auth service should not be called and an error should returned.

Actual behavior

The error is not checked so the code continues with profile and the access token missing.

It also looks like the provided strategy expects profile to be there:

feathers/packages/authentication-oauth/src/strategy.ts

Line 162 in c619ab2

const profile = await this.getProfile(authentication, params)

Would it make sense to bail here if payload.error is set?

feathers/packages/authentication-oauth/src/service.ts

Line 117 in c619ab2

const payload = grant?.response || result?.session?.response || result?.state?.response || params.query

[daffl]

This looks like a really good catch. I bet this is what the issue in #3266 is also about. What's the best way to try and reproduce this?

[tjenkinson]

Ah yes that looks likely. You can trigger it if you set state: true, and then tweak the state in the url when logging in so that it no longer matches in the callback :)