Explicitly catch an error querystring with value access_denied

packages/oauth/src/index.spec.js

@@ -437,6 +437,26 @@ describe('OAuth', async () => {
       assert.isTrue(sent);
     });
 
+    it('should call the failure callback if an access_denied error query parameter was returned on the URL', async () => {
+      const req = { url: 'http://example.com?error=access_denied' };
+      let sent = false;
+      const res = { send: () => { sent = true; } };
+      const callbackOptions = {
+        success: async (installation, installOptions, req, res) => {
+          res.send('successful!');
+          assert.fail('should have failed');
+        },
+        failure: async (error, installOptions, req, res) => {
+          assert.equal(error.code, ErrorCode.AuthorizationError)
+          res.send('failure');
+        },
+      }
+      const installer = new InstallProvider({ clientId, clientSecret, stateSecret, installationStore, logger: noopLogger });
+      await installer.handleCallback(req, res, callbackOptions);
+
+      assert.isTrue(sent);
+    });
+
     it('should call the success callback for a v2 url', async () => {
       let sent = false;
       const res = { send: () => { sent = true; } };

packages/oauth/src/index.ts

@@ -315,12 +315,17 @@ export class InstallProvider {
   ): Promise<void> {
     let parsedUrl;
     let code: string;
+    let flowError: string;
     let state: string;
     let installOptions: InstallURLOptions;
 
     try {
       if (req.url !== undefined) {
         parsedUrl = new URL(req.url);
+        flowError = parsedUrl.searchParams.get('error') as string;
+        if (flowError === 'access_denied') {
+          throw new AuthorizationError('User cancelled the OAuth installation flow!');
+        }
         code = parsedUrl.searchParams.get('code') as string;
         state = parsedUrl.searchParams.get('state') as string;
         if (!state || !code) {