Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use HTTP 303 instead of 302 for selfservice redirects #2215

Merged
merged 9 commits into from
Feb 16, 2022
Merged

fix: use HTTP 303 instead of 302 for selfservice redirects #2215

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5016911
fix: use HTTP 303 instead of 302 for selfservice redirects
maurice-freitag Feb 11, 2022
543d704
Merge branch 'master' into fix/redirect-status-codes
maurice-freitag Feb 11, 2022
d4531f1
test: browser login redirect status code 303
Feb 14, 2022
b12a7d5
test: logout redirect status code 303
Feb 14, 2022
dc74151
Merge pull request #1 from Benehiko/status-code-tests
maurice-freitag Feb 14, 2022
536a9e9
added unit tests for remaining flows, fixed e2e test setup
maurice-freitag Feb 15, 2022
71cbfc3
Merge remote-tracking branch 'upstream/master' into fix/redirect-stat…
maurice-freitag Feb 15, 2022
9c0e3f1
Merge branch 'master' into fix/redirect-status-codes
maurice-freitag Feb 15, 2022
44a6298
fixed tests
maurice-freitag Feb 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 31 additions & 31 deletions internal/httpclient/api/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -656,16 +656,16 @@ paths:

API flows expect `application/json` to be sent in the body and responds with
HTTP 200 and a application/json body with the session token on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.

Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
a HTTP 302 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;
a HTTP 302 redirect to the login UI URL with the flow ID containing the validation errors otherwise.
a HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;
a HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.

Browser flows with an accept header of `application/json` will not redirect but instead respond with
HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.

If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
Expand Down Expand Up @@ -716,7 +716,7 @@ paths:
schema:
$ref: '#/components/schemas/successfulSelfServiceLoginWithoutBrowser'
description: successfulSelfServiceLoginWithoutBrowser
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -888,7 +888,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceLoginFlow'
description: selfServiceLoginFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -997,7 +997,7 @@ paths:
description: |-
This endpoint logs out an identity in a self-service manner.

If the `Accept` HTTP header is not set to `application/json`, the browser will be redirected (HTTP 302 Found)
If the `Accept` HTTP header is not set to `application/json`, the browser will be redirected (HTTP 303 See Other)
to the `return_to` parameter of the initial request or fall back to `urls.default_return_to`.

If the `Accept` HTTP header is set to `application/json`, a 204 No Content response
Expand Down Expand Up @@ -1034,7 +1034,7 @@ paths:
"204":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"500":
Expand Down Expand Up @@ -1142,12 +1142,12 @@ paths:
`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
and works with API- and Browser-initiated flows.
For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.
and a HTTP 302 Found redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 302 Found redirect to the Recovery UI URL with the Recovery Flow ID appended.
and a HTTP 303 See Other redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Recovery UI URL with the Recovery Flow ID appended.
`sent_email` is the success state after `choose_method` for the `link` method and allows the user to request another recovery email. It
works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a recovery link")
does not have any API capabilities. The server responds with a HTTP 302 Found redirect either to the Settings UI URL
does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
(if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with
a new Recovery Flow ID which contains an error message that the recovery link was invalid.

Expand Down Expand Up @@ -1196,7 +1196,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceRecoveryFlow'
description: selfServiceRecoveryFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1284,7 +1284,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceRecoveryFlow'
description: selfServiceRecoveryFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1386,16 +1386,16 @@ paths:
API flows expect `application/json` to be sent in the body and respond with
HTTP 200 and a application/json body with the created identity success - if the session hook is configured the
`session` and `session_token` will also be included;
HTTP 302 redirect to a fresh registration flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh registration flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.

Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
a HTTP 302 redirect to the post/after registration URL or the `return_to` value if it was set and if the registration succeeded;
a HTTP 302 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.
a HTTP 303 redirect to the post/after registration URL or the `return_to` value if it was set and if the registration succeeded;
a HTTP 303 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.

Browser flows with an accept header of `application/json` will not redirect but instead respond with
HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.

If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
Expand Down Expand Up @@ -1438,7 +1438,7 @@ paths:
schema:
$ref: '#/components/schemas/successfulSelfServiceRegistrationWithoutBrowser'
description: successfulSelfServiceRegistrationWithoutBrowser
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1552,7 +1552,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceRegistrationFlow'
description: selfServiceRegistrationFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"500":
Expand Down Expand Up @@ -1658,20 +1658,20 @@ paths:

API-initiated flows expect `application/json` to be sent in the body and respond with
HTTP 200 and an application/json body with the session token on success;
HTTP 302 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set;
HTTP 400 on form validation errors.
HTTP 401 when the endpoint is called without a valid session token.
HTTP 403 when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
Implies that the user needs to re-authenticate.

Browser flows without HTTP Header `Accept` or with `Accept: text/*` respond with
a HTTP 302 redirect to the post/after settings URL or the `return_to` value if it was set and if the flow succeeded;
a HTTP 302 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise.
a HTTP 302 redirect to the login endpoint when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
a HTTP 303 redirect to the post/after settings URL or the `return_to` value if it was set and if the flow succeeded;
a HTTP 303 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise.
a HTTP 303 redirect to the login endpoint when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.

Browser flows with HTTP Header `Accept: application/json` respond with
HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
HTTP 302 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
HTTP 401 when the endpoint is called without a valid session cookie.
HTTP 403 when the page is accessed without a session cookie or the session's AAL is too low.
HTTP 400 on form validation errors.
Expand Down Expand Up @@ -1734,7 +1734,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceSettingsFlow'
description: selfServiceSettingsFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -1875,7 +1875,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceSettingsFlow'
description: selfServiceSettingsFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -2015,12 +2015,12 @@ paths:
`choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
and works with API- and Browser-initiated flows.
For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid
and a HTTP 302 Found redirect with a fresh verification flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 302 Found redirect to the Verification UI URL with the Verification Flow ID appended.
and a HTTP 303 See Other redirect with a fresh verification flow if the flow was otherwise invalid (e.g. expired).
For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Verification UI URL with the Verification Flow ID appended.
`sent_email` is the success state after `choose_method` when using the `link` method and allows the user to request another verification email. It
works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
`passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a verification link")
does not have any API capabilities. The server responds with a HTTP 302 Found redirect either to the Settings UI URL
does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
(if the link was valid) and instructs the user to update their password, or a redirect to the Verification UI URL with
a new Verification Flow ID which contains an error message that the verification link was invalid.

Expand Down Expand Up @@ -2069,7 +2069,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceVerificationFlow'
description: selfServiceVerificationFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"400":
Expand Down Expand Up @@ -2152,7 +2152,7 @@ paths:
schema:
$ref: '#/components/schemas/selfServiceVerificationFlow'
description: selfServiceVerificationFlow
"302":
"303":
description: Empty responses are sent when, for example, resources are deleted.
The HTTP status code for empty responses is typically 201.
"500":
Expand Down
Loading