Explicitly catch an error querystring with value access_denied; this …

…signifies user canceled out of the installation flow. This fixes #1186

packages/oauth/src/index.spec.js

@@ -417,8 +417,8 @@ describe('OAuth', async () => {
       assert.isTrue(sent);
     });
 
-    it('should call the failure callback due to missing code query parameter on the URL', async () => {
-      const req = { url: 'http://example.com' };
+    it('should call the failure callback if an access_denied error query parameter was returned on the URL', async () => {
+      const req = { url: 'http://example.com?error=access_denied' };
       let sent = false;
       const res = { send: () => { sent = true; } };
       const callbackOptions = {
@@ -427,7 +427,7 @@ describe('OAuth', async () => {
           assert.fail('should have failed');
         },
         failure: async (error, installOptions, req, res) => {
-          assert.equal(error.code, ErrorCode.MissingStateError)
+          assert.equal(error.code, ErrorCode.AuthorizationError)
           res.send('failure');
         },
       }

packages/oauth/src/index.ts

@@ -315,12 +315,17 @@ export class InstallProvider {
   ): Promise<void> {
     let parsedUrl;
     let code: string;
+    let flowError: string;
     let state: string;
     let installOptions: InstallURLOptions;
 
     try {
       if (req.url !== undefined) {
         parsedUrl = new URL(req.url);
+        flowError = parsedUrl.searchParams.get('error') as string;
+        if (flowError === 'access_denied') {
+          throw new AuthorizationError('User cancelled the OAuth installation flow!');
+        }
         code = parsedUrl.searchParams.get('code') as string;
         state = parsedUrl.searchParams.get('state') as string;
         if (!state || !code) {