fix: show error page on identity mismatch

ory · Feb 29, 2024 · 59efaac · 59efaac
1 parent 9710549
commit 59efaac
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/continuity/container.go b/continuity/container.go
@@ -63,7 +63,7 @@ func (c *Container) Valid(identity uuid.UUID) error {
 	}
 
 	if identity != uuid.Nil && pointerx.Deref(c.IdentityID) != identity {
-		return errors.WithStack(herodot.ErrBadRequest.WithReasonf("You must restart the flow because the resumable session was initiated by another person."))
+		return errors.WithStack(herodot.ErrForbidden.WithReasonf("The flow has been blocked for security reasons because it was initiated by another person.."))
 	}
 
 	return nil

diff --git a/selfservice/flow/settings/flow.go b/selfservice/flow/settings/flow.go
@@ -199,8 +199,8 @@ func (f *Flow) Valid(s *session.Session) error {
 	}
 
 	if f.IdentityID != s.Identity.ID {
-		return errors.WithStack(herodot.ErrBadRequest.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf(
-			"You must restart the flow because the resumable session was initiated by another person."))
+		return errors.WithStack(herodot.ErrForbidden.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf(
+			"The request was initiated by someone else and has been blocked for security reasons. Please go back and try again."))
 	}
 
 	return nil

diff --git a/selfservice/flow/settings/handler_test.go b/selfservice/flow/settings/handler_test.go
@@ -544,8 +544,8 @@ func TestHandler(t *testing.T) {
 				require.NoError(t, json.Unmarshal(body, &f))
 
 				actual, res := testhelpers.SettingsMakeRequest(t, true, false, &f, user2, `{"method":"not-exists"}`)
-				assert.Equal(t, http.StatusBadRequest, res.StatusCode)
-				assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual)
+				assert.Equal(t, http.StatusForbidden, res.StatusCode)
+				assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual)
 			})
 
 			t.Run("type=spa", func(t *testing.T) {
@@ -556,8 +556,8 @@ func TestHandler(t *testing.T) {
 				require.NoError(t, json.Unmarshal(body, &f))
 
 				actual, res := testhelpers.SettingsMakeRequest(t, false, true, &f, user2, `{"method":"not-exists"}`)
-				assert.Equal(t, http.StatusBadRequest, res.StatusCode)
-				assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual)
+				assert.Equal(t, http.StatusForbidden, res.StatusCode)
+				assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual)
 			})
 
 			t.Run("type=browser", func(t *testing.T) {
@@ -568,8 +568,8 @@ func TestHandler(t *testing.T) {
 				require.NoError(t, json.Unmarshal(body, &f))
 
 				actual, res := testhelpers.SettingsMakeRequest(t, false, false, &f, user2, `{"method":"not-exists"}`)
-				assert.Equal(t, http.StatusBadRequest, res.StatusCode)
-				assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual)
+				assert.Equal(t, http.StatusForbidden, res.StatusCode)
+				assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual)
 			})
 		})