Status code tests

selfservice/flow/login/handler_test.go

@@ -462,6 +462,25 @@ func TestFlowLifecycle(t *testing.T) {
 				assertion(body, true, false)
 				assert.Contains(t, res.Request.URL.String(), loginTS.URL)
 			})
+
+			t.Run("case=redirects with 303", func(t *testing.T) {
+				c := http.DefaultClient
+				// don't get the reference, instead copy the values, so we don't alter the client directly.
+				*c = *ts.Client()
+				// prevent the redirect
+				c.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+					return http.ErrUseLastResponse
+				}
+				req, err := http.NewRequest("GET", ts.URL+login.RouteInitBrowserFlow, nil)
+				require.NoError(t, err)
+
+				res, err := c.Do(req)
+				require.NoError(t, err)
+				// here we check that the redirect status is 303
+				require.Equal(t, http.StatusSeeOther, res.StatusCode)
+				defer res.Body.Close()
+			})
+
 		})
 		t.Run("case=relative redirect when self-service login ui is a relative URL", func(t *testing.T) {
 			reg.Config(context.Background()).MustSet(config.ViperKeySelfServiceLoginUI, "/login-ts")

selfservice/flow/logout/handler_test.go

@@ -223,4 +223,22 @@ func TestLogout(t *testing.T) {
 		assert.EqualValues(t, http.StatusUnauthorized, res.StatusCode)
 		assert.EqualValues(t, "No active session was found in this request.", gjson.GetBytes(body, "error.reason").String(), "%s", body)
 	})
+
+	t.Run("case=init logout through browser does 303 redirect", func(t *testing.T) {
+		// init the logout
+		hc, logoutUrl := getLogoutUrl(t)
+		// prevent the redirect, so we can get check the status code
+		hc.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		}
+		// submit the login
+		req, err := http.NewRequest("GET", logoutUrl, nil)
+		require.NoError(t, err)
+
+		res, err := hc.Do(req)
+		require.NoError(t, err)
+		// here we check that the redirect status is 303
+		require.Equal(t, http.StatusSeeOther, res.StatusCode)
+		defer res.Body.Close()
+	})
 }