Skip to content

Commit

Permalink
fix: use HTTP 303 instead of 302 for selfservice redirects (#2215)
Browse files Browse the repository at this point in the history 
Closes #1969

Co-authored-by: Alano Terblanche <[email protected]>
  • Loading branch information
@maurice-freitag
maurice-freitag and Alano Terblanche authored Feb 16, 2022
1 parent 1eb3f18 commit 50b6bd8
Show file tree
Hide file tree
Showing 18 changed files with 252 additions and 141 deletions.
62 changes: 31 additions & 31 deletions internal/httpclient/api/openapi.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -656,16 +656,16 @@ paths:
API flows expect `application/json` to be sent in the body and responds with
HTTP 200 and a application/json body with the session token on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.
Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
a HTTP 302 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;
a HTTP 302 redirect to the login UI URL with the flow ID containing the validation errors otherwise.
a HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;
a HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.
Browser flows with an accept header of `application/json` will not redirect but instead respond with
HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.
If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
Expand Down Expand Up @@ -716,7 +716,7 @@ paths:
schema:
$ref: '#/components/schemas/successfulSelfServiceLoginWithoutBrowser'
description: successfulSelfServiceLoginWithoutBrowser
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -888,7 +888,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceLoginFlow'
description: selfServiceLoginFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -997,7 +997,7 @@ paths:
description: |-
This endpoint logs out an identity in a self-service manner.
If the `Accept` HTTP header is not set to `application/json`, the browser will be redirected (HTTP 302 Found)
If the `Accept` HTTP header is not set to `application/json`, the browser will be redirected (HTTP 303 See Other)
to the `return_to` parameter of the initial request or fall back to `urls.default_return_to`.
If the `Accept` HTTP header is set to `application/json`, a 204 No Content response
Expand Down Expand Up @@ -1034,7 +1034,7 @@ paths:
"204":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"500":
Expand Down Expand Up @@ -1142,12 +1142,12 @@ paths:
`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
and works with API- and Browser-initiated flows.
For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.
and a HTTP 302 Found redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 302 Found redirect to the Recovery UI URL with the Recovery Flow ID appended.
and a HTTP 303 See Other redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Recovery UI URL with the Recovery Flow ID appended.
`sent_email` is the success state after `choose_method` for the `link` method and allows the user to request another recovery email. It
works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a recovery link")
does not have any API capabilities. The server responds with a HTTP 302 Found redirect either to the Settings UI URL
does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
(if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with
a new Recovery Flow ID which contains an error message that the recovery link was invalid.
Expand Down Expand Up @@ -1196,7 +1196,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceRecoveryFlow'
description: selfServiceRecoveryFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1284,7 +1284,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceRecoveryFlow'
description: selfServiceRecoveryFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1386,16 +1386,16 @@ paths:
API flows expect `application/json` to be sent in the body and respond with
HTTP 200 and a application/json body with the created identity success - if the session hook is configured the
`session` and `session_token` will also be included;
HTTP 302 redirect to a fresh registration flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh registration flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.
Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
a HTTP 302 redirect to the post/after registration URL or the `return_to` value if it was set and if the registration succeeded;
a HTTP 302 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.
a HTTP 303 redirect to the post/after registration URL or the `return_to` value if it was set and if the registration succeeded;
a HTTP 303 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.
Browser flows with an accept header of `application/json` will not redirect but instead respond with
HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.
If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
Expand Down Expand Up @@ -1438,7 +1438,7 @@ paths:
schema:
$ref: '#/components/schemas/successfulSelfServiceRegistrationWithoutBrowser'
description: successfulSelfServiceRegistrationWithoutBrowser
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1552,7 +1552,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceRegistrationFlow'
description: selfServiceRegistrationFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"500":
Expand Down Expand Up @@ -1658,20 +1658,20 @@ paths:
API-initiated flows expect `application/json` to be sent in the body and respond with
HTTP 200 and an application/json body with the session token on success;
HTTP 302 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.
HTTP 401 when the endpoint is called without a valid session token.
HTTP 403 when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
Implies that the user needs to re-authenticate.
Browser flows without HTTP Header `Accept` or with `Accept: text/*` respond with
a HTTP 302 redirect to the post/after settings URL or the `return_to` value if it was set and if the flow succeeded;
a HTTP 302 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise.
a HTTP 302 redirect to the login endpoint when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
a HTTP 303 redirect to the post/after settings URL or the `return_to` value if it was set and if the flow succeeded;
a HTTP 303 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise.
a HTTP 303 redirect to the login endpoint when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
Browser flows with HTTP Header `Accept: application/json` respond with
HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 401 when the endpoint is called without a valid session cookie.
HTTP 403 when the page is accessed without a session cookie or the session's AAL is too low.
HTTP 400 on form validation errors.
Expand Down Expand Up @@ -1734,7 +1734,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceSettingsFlow'
description: selfServiceSettingsFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1875,7 +1875,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceSettingsFlow'
description: selfServiceSettingsFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -2015,12 +2015,12 @@ paths:
`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
and works with API- and Browser-initiated flows.
For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid
and a HTTP 302 Found redirect with a fresh verification flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 302 Found redirect to the Verification UI URL with the Verification Flow ID appended.
and a HTTP 303 See Other redirect with a fresh verification flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Verification UI URL with the Verification Flow ID appended.
`sent_email` is the success state after `choose_method` when using the `link` method and allows the user to request another verification email. It
works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a verification link")
does not have any API capabilities. The server responds with a HTTP 302 Found redirect either to the Settings UI URL
does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
(if the link was valid) and instructs the user to update their password, or a redirect to the Verification UI URL with
a new Verification Flow ID which contains an error message that the verification link was invalid.
Expand Down Expand Up @@ -2069,7 +2069,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceVerificationFlow'
description: selfServiceVerificationFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -2152,7 +2152,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceVerificationFlow'
description: selfServiceVerificationFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"500":
Expand Down
Loading

0 comments on commit 50b6bd8

Please sign in to comment.