Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Run post recovery hook before storing the session and issuing a cookie #3393

Merged
merged 3 commits into from
Aug 21, 2023
Merged

fix: Run post recovery hook before storing the session and issuing a cookie #3393

merged 3 commits into from
Aug 21, 2023

Conversation

BrandonNoad
Copy link
Contributor

@BrandonNoad BrandonNoad commented Jul 25, 2023
edited
Loading

If the response to a flow-interrupting, after recovery webhook is 4xx or 5xx, the recovery flow should fail and no session should be issued.

Related issue(s)

Fixes #3193

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

@CLAassistant
Copy link

CLAassistant commented Jul 25, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@codecov
Copy link

codecov bot commented Jul 25, 2023
edited
Loading

Codecov Report

Merging #3393 (59a3f14) into master (59a3f14) will not change coverage.
The diff coverage is n/a.

❗ Current head 59a3f14 differs from pull request most recent head a6f2abe. Consider uploading reports for the commit a6f2abe to get more accurate results

@@           Coverage Diff           @@
##           master    #3393   +/-   ##
=======================================
  Coverage   78.07%   78.07%           
=======================================
  Files         327      327           
  Lines       21377    21377           
=======================================
  Hits        16690    16690           
  Misses       3455     3455           
  Partials     1232     1232

@BrandonNoad BrandonNoad changed the title [WIP] Run post recovery hook before storing the session and issuing a cookie [WIP] fix: Run post recovery hook before storing the session and issuing a cookie Jul 25, 2023
zepatrik
zepatrik reviewed Jul 26, 2023
View reviewed changes
Copy link
Member

@zepatrik zepatrik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to add a test that verifies this behavior. As all other tests are passing, it seems that at least it is not breaking anything.

@BrandonNoad
Copy link
Contributor Author

@zepatrik Definitely. I wanted to make sure the existing tests were passing and haven't had the chance yet to add the new tests. I'll remove the [WIP] from the PR title when it is ready (I would have made this a draft but wasn't sure if the tests would run or not).

BrandonNoad
BrandonNoad commented Jul 28, 2023
View reviewed changes
selfservice/strategy/code/strategy_recovery_test.go
})

t.Run("description=should not be able to recover if post recovery hook fails", func(t *testing.T) {
conf.MustSet(ctx, config.HookStrategyKey(config.ViperKeySelfServiceRecoveryAfter, config.HookGlobal), []config.SelfServiceHook{{Name: "err", Config: []byte(`{"ExecutePostRecoveryHook": "err"}`)}})
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't figure out a good way to mock a 4xx response to the webhook request so that I could test the message in the response would show up in the new flow.

@BrandonNoad BrandonNoad changed the title [WIP] fix: Run post recovery hook before storing the session and issuing a cookie fix: Run post recovery hook before storing the session and issuing a cookie Jul 28, 2023
@BrandonNoad
Copy link
Contributor Author

Technically this change could be considered breaking. But I think it is just restoring the intended behaviour.

@aeneasr aeneasr requested review from hperl and removed request for aeneasr July 31, 2023 14:15
zepatrik
zepatrik approved these changes Aug 18, 2023
View reviewed changes
Copy link
Member

@zepatrik zepatrik left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good, I think this error case should be enough.

hperl
hperl approved these changes Aug 18, 2023
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@zepatrik zepatrik merged commit 6c1d2f1 into ory:master Aug 21, 2023
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zepatrik zepatrik zepatrik approved these changes

@hperl hperl hperl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Flow interrupting in after recovery webhook does not work
4 participants
@BrandonNoad @CLAassistant @hperl @zepatrik