From 4e9118e7215499882a8e65ac17392919581d4d70 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Thu, 29 Feb 2024 18:42:19 +0100 Subject: [PATCH 1/5] fix: show error page on identity mismatch --- continuity/container.go | 2 +- selfservice/flow/settings/flow.go | 4 ++-- selfservice/flow/settings/handler_test.go | 12 ++++++------ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/continuity/container.go b/continuity/container.go index 9b2d434b859a..823942414555 100644 --- a/continuity/container.go +++ b/continuity/container.go @@ -63,7 +63,7 @@ func (c *Container) Valid(identity uuid.UUID) error { } if identity != uuid.Nil && pointerx.Deref(c.IdentityID) != identity { - return errors.WithStack(herodot.ErrBadRequest.WithReasonf("You must restart the flow because the resumable session was initiated by another person.")) + return errors.WithStack(herodot.ErrForbidden.WithReasonf("The flow has been blocked for security reasons because it was initiated by another person..")) } return nil diff --git a/selfservice/flow/settings/flow.go b/selfservice/flow/settings/flow.go index 25632cd2e93e..7b0c14bc347e 100644 --- a/selfservice/flow/settings/flow.go +++ b/selfservice/flow/settings/flow.go @@ -199,8 +199,8 @@ func (f *Flow) Valid(s *session.Session) error { } if f.IdentityID != s.Identity.ID { - return errors.WithStack(herodot.ErrBadRequest.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf( - "You must restart the flow because the resumable session was initiated by another person.")) + return errors.WithStack(herodot.ErrForbidden.WithID(text.ErrIDInitiatedBySomeoneElse).WithReasonf( + "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.")) } return nil diff --git a/selfservice/flow/settings/handler_test.go b/selfservice/flow/settings/handler_test.go index a24e598c64aa..35d34fd735fc 100644 --- a/selfservice/flow/settings/handler_test.go +++ b/selfservice/flow/settings/handler_test.go @@ -544,8 +544,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, true, false, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) t.Run("type=spa", func(t *testing.T) { @@ -556,8 +556,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, false, true, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) t.Run("type=browser", func(t *testing.T) { @@ -568,8 +568,8 @@ func TestHandler(t *testing.T) { require.NoError(t, json.Unmarshal(body, &f)) actual, res := testhelpers.SettingsMakeRequest(t, false, false, &f, user2, `{"method":"not-exists"}`) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Equal(t, "You must restart the flow because the resumable session was initiated by another person.", gjson.Get(actual, "ui.messages.0.text").String(), actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Equal(t, "The request was initiated by someone else and has been blocked for security reasons. Please go back and try again.", gjson.Get(actual, "error.reason").String(), actual) }) }) From 32a8eb53720f79725d6e073cd1a6304060c0d1e9 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Fri, 1 Mar 2024 11:44:31 +0100 Subject: [PATCH 2/5] chore: synchronize workspaces --- selfservice/strategy/password/settings_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/selfservice/strategy/password/settings_test.go b/selfservice/strategy/password/settings_test.go index 3c5a3c9f9615..5393e5779cfc 100644 --- a/selfservice/strategy/password/settings_test.go +++ b/selfservice/strategy/password/settings_test.go @@ -202,8 +202,8 @@ func TestSettings(t *testing.T) { values.Set("method", "password") values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, true, false, f, apiUser2, testhelpers.EncodeFormAsJSON(t, true, values)) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by another person", "%s", actual) }) t.Run("type=spa", func(t *testing.T) { @@ -212,8 +212,8 @@ func TestSettings(t *testing.T) { values.Set("method", "password") values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, false, true, f, browserUser2, values.Encode()) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by another person", "%s", actual) }) t.Run("type=browser", func(t *testing.T) { @@ -222,8 +222,8 @@ func TestSettings(t *testing.T) { values.Set("method", "password") values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, false, false, f, browserUser2, values.Encode()) - assert.Equal(t, http.StatusOK, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by another person", "%s", actual) }) }) From 7191623c724523c7a1b70a13a076d5ff236ead76 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Fri, 1 Mar 2024 13:13:40 +0100 Subject: [PATCH 3/5] chore: synchronize workspaces --- selfservice/strategy/password/settings_test.go | 6 +++--- selfservice/strategy/profile/strategy_test.go | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/selfservice/strategy/password/settings_test.go b/selfservice/strategy/password/settings_test.go index 5393e5779cfc..65e17f635f03 100644 --- a/selfservice/strategy/password/settings_test.go +++ b/selfservice/strategy/password/settings_test.go @@ -203,7 +203,7 @@ func TestSettings(t *testing.T) { values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, true, false, f, apiUser2, testhelpers.EncodeFormAsJSON(t, true, values)) assert.Equal(t, http.StatusForbidden, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by another person", "%s", actual) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=spa", func(t *testing.T) { @@ -213,7 +213,7 @@ func TestSettings(t *testing.T) { values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, false, true, f, browserUser2, values.Encode()) assert.Equal(t, http.StatusForbidden, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by another person", "%s", actual) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=browser", func(t *testing.T) { @@ -223,7 +223,7 @@ func TestSettings(t *testing.T) { values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, false, false, f, browserUser2, values.Encode()) assert.Equal(t, http.StatusForbidden, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by another person", "%s", actual) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) }) diff --git a/selfservice/strategy/profile/strategy_test.go b/selfservice/strategy/profile/strategy_test.go index f67407fe799f..8daeca757696 100644 --- a/selfservice/strategy/profile/strategy_test.go +++ b/selfservice/strategy/profile/strategy_test.go @@ -275,8 +275,8 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, true, false, f, apiUser2, testhelpers.EncodeFormAsJSON(t, true, values)) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by someone else", "%s", actual) }) t.Run("type=spa", func(t *testing.T) { @@ -284,8 +284,8 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, false, true, f, browserUser2, testhelpers.EncodeFormAsJSON(t, true, values)) - assert.Equal(t, http.StatusBadRequest, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by someone else", "%s", actual) }) t.Run("type=browser", func(t *testing.T) { @@ -293,8 +293,8 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, false, false, f, browserUser2, values.Encode()) - assert.Equal(t, http.StatusOK, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by another person", "%s", actual) + assert.Equal(t, http.StatusForbidden, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by someone else", "%s", actual) }) }) From cef6ea1a1f9a5561e47b222196f7236cab2e5601 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Mon, 4 Mar 2024 09:52:37 +0100 Subject: [PATCH 4/5] chore: synchronize workspaces --- selfservice/strategy/password/settings_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/selfservice/strategy/password/settings_test.go b/selfservice/strategy/password/settings_test.go index 65e17f635f03..a4ee7e6c7fa0 100644 --- a/selfservice/strategy/password/settings_test.go +++ b/selfservice/strategy/password/settings_test.go @@ -222,8 +222,8 @@ func TestSettings(t *testing.T) { values.Set("method", "password") values.Set("password", x.NewUUID().String()) actual, res := testhelpers.SettingsMakeRequest(t, false, false, f, browserUser2, values.Encode()) - assert.Equal(t, http.StatusForbidden, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) + assert.Equal(t, http.StatusOK, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "reason").String(), "initiated by someone else", "%s", actual) }) }) From 08c670f9b9285c0741203e4538afd70fb9cfd67f Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Mon, 4 Mar 2024 12:08:02 +0100 Subject: [PATCH 5/5] chore: synchronize workspaces --- selfservice/strategy/profile/strategy_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/selfservice/strategy/profile/strategy_test.go b/selfservice/strategy/profile/strategy_test.go index 8daeca757696..7d0c831711c3 100644 --- a/selfservice/strategy/profile/strategy_test.go +++ b/selfservice/strategy/profile/strategy_test.go @@ -276,7 +276,7 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, true, false, f, apiUser2, testhelpers.EncodeFormAsJSON(t, true, values)) assert.Equal(t, http.StatusForbidden, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by someone else", "%s", actual) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=spa", func(t *testing.T) { @@ -285,7 +285,7 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, false, true, f, browserUser2, testhelpers.EncodeFormAsJSON(t, true, values)) assert.Equal(t, http.StatusForbidden, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by someone else", "%s", actual) + assert.Contains(t, gjson.Get(actual, "error.reason").String(), "initiated by someone else", "%s", actual) }) t.Run("type=browser", func(t *testing.T) { @@ -293,8 +293,8 @@ func TestStrategyTraits(t *testing.T) { values := testhelpers.SDKFormFieldsToURLValues(f.Ui.Nodes) actual, res := testhelpers.SettingsMakeRequest(t, false, false, f, browserUser2, values.Encode()) - assert.Equal(t, http.StatusForbidden, res.StatusCode) - assert.Contains(t, gjson.Get(actual, "ui.messages.0.text").String(), "initiated by someone else", "%s", actual) + assert.Equal(t, http.StatusOK, res.StatusCode) + assert.Contains(t, gjson.Get(actual, "reason").String(), "initiated by someone else", "%s", actual) }) })