Hidden OAuth application creation page doesn't work

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

We noticed that GitLab exposes a form an OAuth application to the user at the URL /oauth/applications/new, but the form doesn't actually work.

In a GDK environment, when you fill in the form and submit it, you will see a HTTP 500 response. On GitLab.com, you will see HTTP 400.

As far as I can tell, the form isn't linked from anywhere within the GitLab UI. You have to know the URL and visit it directly.

Steps to reproduce

GDK

1. Start your GDK
2. Visit https://your_gdk_host/oauth/applications/new
3. Fill in the form with valid values. For example:

• Name: My Application
• Callback url: https://your_gdk_host/callback
• Scopes: api

4. Press Submit
5. Notice an HTTP 500 error:

GitLab.com

1. Visit https://gitlab.com/oauth/applications/new
2. Fill in the form with valid values
3. Press Submit
4. Notice an HTTP 400 error.

What is the current bug behavior?

• See HTTP 500 error

What is the expected correct behavior?

• The form works properly, or
• The form is not accessible to users.

Possible fixes

This bug is very low-impact because:

• You need to know the exact URL path and visit it directly to access this form
• This isn't the intended form for creating an OAuth application
• There are well-documented ways to create an OAuth application using the working form, for example https://gitlab.com/-/user_settings/applications.

If the form isn't intended to be used, the best fix may be to make the form inaccessible to users.

Perhaps we could do that by overriding the route in routes.rb with a redirect().