From 4e9118e7215499882a8e65ac17392919581d4d70 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Thu, 29 Feb 2024 18:42:19 +0100 Subject: [PATCH] fix: show error page on identity mismatch --- continuity/container.go | 2 +- selfservice/flow/settings/flow.go | 4 ++-- selfservice/flow/settings/handler_test.go | 12 ++++++------ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/continuity/container.go b/continuity/container.go index 9b2d434b859a..823942414555 100644 --- a/continuity/container.go +++ b/continuity/container.go @@ -63,7 +63,7 @@ func (c *Container) Valid(identity uuid.UUID) error { } if identity != uuid.Nil && pointerx.Deref(c.IdentityID) != identity { - return errors.WithStack(herodot.ErrBadRequest.WithReasonf("You must restart the flow because the resumable session was initiated by another person.")) + return errors.WithStack(herodot.ErrForbidden.WithReasonf("The flow has been blocked for security reasons because it was initiated by another person..")) } return nil diff --git a/selfservice/flow/settings/flow.go b/selfservice/flow/settings/flow.go index 25632cd2e93e..7b0c14bc347e 100644 --- a/selfservice/flow/settings/flow.go +++ b/selfservice/flow/settings/flow.go @@ -199,8 +199,8 @@ func (f *Flow) Valid(s *session.Session) error { } if f.IdentityID != s.Identity.ID { - return errors.WithStack(herodot.ErrBadRequest.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf( - "You must restart the flow because the resumable session was initiated by another person.")) + return errors.WithStack(herodot.ErrForbidden.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf( + "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.")) } return nil diff --git a/selfservice/flow/settings/handler_test.go b/selfservice/flow/settings/handler_test.go index a24e598c64aa..35d34fd735fc 100644 --- a/selfservice/flow/settings/handler_test.go +++ b/selfservice/flow/settings/handler_test.go @@ -544,8 +544,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, true, false, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) t.Run("type=spa", func(t *testing.T) { @@ -556,8 +556,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, false, true, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) t.Run("type=browser", func(t *testing.T) { @@ -568,8 +568,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, false, false, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) })