From 6aa545ad1c28a1738ded6090cbfbb2c254401d66 Mon Sep 17 00:00:00 2001 From: Jim Jiang Date: Wed, 14 Feb 2024 12:40:48 +0800 Subject: [PATCH] fix: check OIDC setting method via flow.MethodEnabledAndAllowed OIDC setting will produce faulty "endpoint disabled" when request from another method, because it does not check if request method is matched with OIDC. Use flow.MethodEnabledAndAllowed could fix this problem. --- selfservice/strategy/oidc/strategy_settings.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/selfservice/strategy/oidc/strategy_settings.go b/selfservice/strategy/oidc/strategy_settings.go index 24623938fd87..a29d2f3d457f 100644 --- a/selfservice/strategy/oidc/strategy_settings.go +++ b/selfservice/strategy/oidc/strategy_settings.go @@ -18,7 +18,6 @@ import ( "golang.org/x/oauth2" "github.com/ory/kratos/continuity" - "github.com/ory/kratos/selfservice/strategy" "github.com/ory/x/decoderx" "github.com/ory/kratos/session" @@ -255,8 +254,8 @@ func (s *Strategy) Settings(w http.ResponseWriter, r *http.Request, f *settings. ctxUpdate, err := settings.PrepareUpdate(s.d, w, r, f, ss, settings.ContinuityKey(s.SettingsStrategyID()), &p) if errors.Is(err, settings.ErrContinuePreviousAction) { - if !s.d.Config().SelfServiceStrategy(r.Context(), s.SettingsStrategyID()).Enabled { - return nil, errors.WithStack(herodot.ErrNotFound.WithReason(strategy.EndpointDisabledMessage)) + if err := flow.MethodEnabledAndAllowed(r.Context(), flow.SettingsFlow, s.SettingsStrategyID(), p.Method, s.d); err != nil { + return nil, err } if l := len(p.Link); l > 0 { @@ -282,8 +281,8 @@ func (s *Strategy) Settings(w http.ResponseWriter, r *http.Request, f *settings. return nil, errors.WithStack(flow.ErrStrategyNotResponsible) } - if !s.d.Config().SelfServiceStrategy(r.Context(), s.SettingsStrategyID()).Enabled { - return nil, errors.WithStack(herodot.ErrNotFound.WithReason(strategy.EndpointDisabledMessage)) + if err := flow.MethodEnabledAndAllowed(r.Context(), flow.SettingsFlow, s.SettingsStrategyID(), p.Method, s.d); err != nil { + return nil, err } if l, u := len(p.Link), len(p.Unlink); l > 0 && u > 0 {