lib/rack/oauth2/admin/js/application.js in rack-oauth2-server-1.3.1 vs lib/rack/oauth2/admin/js/application.js in rack-oauth2-server-1.4.0

@@ -4,31 +4,42 @@
   this.use(Sammy.Title);
   this.setTitle("OAuth Console - ");
 
   // Use OAuth access token in all API requests.
   $(document).ajaxSend(function(e, xhr) {
-    xhr.setRequestHeader("Authorization", "OAuth " + app.session("oauth.token"));
+    if (app.session("oauth.token"))
+      xhr.setRequestHeader("Authorization", "OAuth " + app.session("oauth.token"));
   });
   // For all request (except callback), if we don't have an OAuth access token,
   // ask for one by requesting authorization.
-  this.before({ except: { path: /^#(access_token=|[^\\].*&access_token=)/ } }, function(context) {
+  this.before({ except: { path: /^#\w+=.+/ } }, function(context) {
     if (!app.session("oauth.token"))
       context.redirect(document.location.pathname + "/authorize?state=" + escape(context.path));
   })
+  function hashParams(hash) {
+    var pairs = hash.substring(1).split("&"), params = {};
+    for (var i in pairs) {
+      var splat = pairs[i].split("=");
+      params[splat[0]] = splat[1];
+    }
+    return params;
+  }
   // We recognize the OAuth authorization callback based on one of its
   // parameters. Crude but works here.
-  this.get(/^#(access_token=|[^\\].*&access_token=)/, function(context) {
+  this.get(/^#(access_token=|[^\\].*\&access_token=)/, function(context) {
     // Instead of a hash we get query parameters, so turn those into an object.
-    var params = context.path.substring(1).split("&"), args = {};
-    for (var i in params) {
-      var splat = params[i].split("=");
-      args[splat[0]] = splat[1];
-    }
-    app.session("oauth.token", args.access_token);
+    var params = hashParams(context.path);
+    app.session("oauth.token", params.access_token);
     // When the filter redirected the original request, it passed the original
     // request's URL in the state parameter, which we get back after
     // authorization.
-    context.redirect(args.state.length == 0 ? "#/" : unescape(args.state));
+    context.redirect(params.state.length == 0 ? "#/" : unescape(params.state));
+  });
+  // Authorization error/rejected.
+  this.get(/^#(error=|[^\\].*\&error=)/, function(context) {
+    var params = hashParams(context.path);
+    var error = params.error_description || "You were denied access";
+    context.partial("admin/views/no_access.tmpl", { error: error.replace(/\+/g, " ") });
   });
 
 
   var api = document.location.pathname + "/api";
   // View all clients