diff --git a/continuity/container.go b/continuity/container.go index 9b2d434b859a..823942414555 100644 --- a/continuity/container.go +++ b/continuity/container.go @@ -63,7 +63,7 @@ func (c *Container) Valid(identity uuid.UUID) error { } if identity != uuid.Nil && pointerx.Deref(c.IdentityID) != identity { - return errors.WithStack(herodot.ErrBadRequest.WithReasonf("You must restart the flow because the resumable session was initiated by another person.")) + return errors.WithStack(herodot.ErrForbidden.WithReasonf("The flow has been blocked for security reasons because it was initiated by another person..")) } return nil diff --git a/selfservice/flow/settings/flow.go b/selfservice/flow/settings/flow.go index 25632cd2e93e..7b0c14bc347e 100644 --- a/selfservice/flow/settings/flow.go +++ b/selfservice/flow/settings/flow.go @@ -199,8 +199,8 @@ func (f *Flow) Valid(s *session.Session) error { } if f.IdentityID != s.Identity.ID { - return errors.WithStack(herodot.ErrBadRequest.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf( - "You must restart the flow because the resumable session was initiated by another person.")) + return errors.WithStack(herodot.ErrForbidden.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf( + "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.")) } return nil diff --git a/selfservice/flow/settings/handler_test.go b/selfservice/flow/settings/handler_test.go index a24e598c64aa..35d34fd735fc 100644 --- a/selfservice/flow/settings/handler_test.go +++ b/selfservice/flow/settings/handler_test.go @@ -544,8 +544,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, true, false, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) t.Run("type=spa", func(t *testing.T) { @@ -556,8 +556,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, false, true, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) t.Run("type=browser", func(t *testing.T) { @@ -568,8 +568,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, false, false, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) }) diff --git a/selfservice/strategy/password/settings_test.go b/selfservice/strategy/password/settings_test.go index 3c5a3c9f9615..a4ee7e6c7fa0 100644 --- a/selfservice/strategy/password/settings_test.go +++ b/selfservice/strategy/password/settings_test.go @@ -202,8 +202,8 @@ func TestSettings(t *testing.T) { values.Set("method", "password") values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, true, false, f, apiUser2, testhelpers.EncodeFormAsJSON(t, true, values)) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=spa", func(t *testing.T) { @@ -212,8 +212,8 @@ func TestSettings(t *testing.T) { values.Set("method", "password") values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, false, true, f, browserUser2, values.Encode()) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=browser", func(t *testing.T) { @@ -223,7 +223,7 @@ func TestSettings(t *testing.T) { values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, false, false, f, browserUser2, values.Encode()) assert.Equal(t, http.StatusOK, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Contains(t, gjson.Get(actual, "reason").String(), "initiated by someone else", "%s", actual) }) }) diff --git a/selfservice/strategy/profile/strategy_test.go b/selfservice/strategy/profile/strategy_test.go index f67407fe799f..7d0c831711c3 100644 --- a/selfservice/strategy/profile/strategy_test.go +++ b/selfservice/strategy/profile/strategy_test.go @@ -275,8 +275,8 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, true, false, f, apiUser2, testhelpers.EncodeFormAsJSON(t, true, values)) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=spa", func(t *testing.T) { @@ -284,8 +284,8 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, false, true, f, browserUser2, testhelpers.EncodeFormAsJSON(t, true, values)) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=browser", func(t *testing.T) { @@ -294,7 +294,7 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, false, false, f, browserUser2, values.Encode()) assert.Equal(t, http.StatusOK, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Contains(t, gjson.Get(actual, "reason").String(), "initiated by someone else", "%s", actual) }) })