From afff3a6f25a5d3836e76fa934fec7725def3a87a Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Wed, 16 Jun 2021 21:45:20 -0700
Subject: [PATCH] fix: Server error when user cancels OAuth process with Azure
 (#2231)

---
 server/middlewares/passport.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/middlewares/passport.js b/server/middlewares/passport.js
index 030ca1ea8..b2363e12b 100644
--- a/server/middlewares/passport.js
+++ b/server/middlewares/passport.js
@@ -9,7 +9,7 @@ export default function createMiddleware(providerName: string) {
     return passport.authorize(
       providerName,
       { session: false },
-      async (err, _, result: AccountProvisionerResult) => {
+      async (err, user, result: AccountProvisionerResult) => {
         if (err) {
           console.error(err);
 
@@ -24,6 +24,14 @@ export default function createMiddleware(providerName: string) {
           return ctx.redirect(`/?notice=auth-error`);
         }
 
+        // Passport.js may invoke this callback with err=null and user=null in
+        // the event that error=access_denied is received from the OAuth server.
+        // I'm not sure why this exception to the rule exists, but it does:
+        // https://github.com/jaredhanson/passport-oauth2/blob/e20f26aad60ed54f0e7952928cbb64979ef8da2b/lib/strategy.js#L135
+        if (!user) {
+          return ctx.redirect(`/?notice=auth-error`);
+        }
+
         // Handle errors from Azure which come in the format: message, Trace ID,
         // Correlation ID, Timestamp in these two query string parameters.
         const { error, error_description } = ctx.request.query;