fix: accept recovery link from authenticated users (#1077) #2195
Conversation
|
|
|
The e2e tests failed apparently due to some random timeout. I'll ignore that for now, since I'll probably need to push some changes and rerun tests after code review. |
|
And now it failed on It does not seem like it's related to my changes 🤔. |
|
Re-running CI now :) |
There was a problem hiding this comment.
Thank you! This looks great! Could you please also add an end-to-end test, for example to this file ( https://github.com/ory/kratos/blob/master/test/e2e/cypress/integration/profiles/recovery/recovery/success.spec.ts#L72 ) to ensure these changes work as expected end-to-end? :)
| @@ -221,6 +221,11 @@ func (s *Strategy) Recover(w http.ResponseWriter, r *http.Request, f *recovery.F | |||
| return s.recoveryUseToken(w, r, body) | |||
| } | |||
|
|
|||
| if _, err := s.d.SessionManager().FetchFromRequest(r.Context(), r); err == nil { | |||
| session.RedirectOnAuthenticated(s.d)(w, r, nil) | |||
There was a problem hiding this comment.
I took this straight from
. I think it redirects to a default page?There was a problem hiding this comment.
Ok, that works - is there a test that ensures we are really redirecting to there? :)
There was a problem hiding this comment.
Check the test in handler_test.go. It initiates a new recovery flow, navigates to ui.action, and ends up redirected.
Codecov Report
@@ Coverage Diff @@
## master #2195 +/- ##
==========================================
+ Coverage 76.58% 76.61% +0.03%
==========================================
Files 318 318
Lines 17156 17189 +33
==========================================
+ Hits 13139 13170 +31
- Misses 3086 3087 +1
- Partials 931 932 +1
Continue to review full report at Codecov.
|
I'll try, I didn't yet manage to run e2e tests locally. Is it possible to run a single e2e test? |
|
Are you OK with this approach in general, or would you prefer that I redo it like described in the "Further Comments" section (or solve this some other way)? |
|
Yes, the approach is good! :) |
|
I added an e2e test. I aldo added a simple test for |
|
Hey, I need more time to review this. Somehow in my head it does not make sense that the introduced change has the effect it should, so I need to go through the changed code line-by-line, but I don't really have time for it this week :/ |
No worries. I described the problem here: #1077 (comment). The TL;DR is that if you're authenticated, then |
|
@aeneasr Any chance you'll look into this PR this week? |
|
@kszafran can you please take a look at CI failures? |
This issue is supposedly fixed in master already: #1077 I haven't closed this PR yet, because had trouble testing the solution in master locally (see my latest comment in the linked issue). I'm hoping I can test it without issues once v0.8.3 is released. |
|
@piotrmsc I tested |
|
Thank you, I looked into the PR and resolved a couple of issues I found |
|
@aeneasr In this case, is there still anything you need from me? |
|
I think we're good :) |
|
Hello @kszafran |
When a recovery link is opened while the user already has a session cookie (possibly for another account), the endpoint will now correctly complete the recovery process and issue new cookies. BREAKING CHANGES: Calling /self-service/recovery without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page. Closes https://github.com/ory-corp/cloud/issues/2173 Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
When a recovery link is opened while the user already has a session cookie (possibly for another account), the endpoint will now correctly complete the recovery process and issue new cookies. BREAKING CHANGES: Calling /self-service/recovery without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page. Closes https://github.com/ory-corp/cloud/issues/2173 Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
When a recovery link is opened while the user already has a session cookie (possibly for another account), the endpoint will now correctly complete the recovery process and issue new cookies. BREAKING CHANGES: Calling /self-service/recovery without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page. Closes https://github.com/ory-corp/cloud/issues/2173 Co-authored-by: aeneasr <3372410+aeneasr@users.noreply.github.com>
When a recovery link is opened while the user already has a session cookie (possibly for another account), the endpoint will now correctly complete the recovery process and issue new cookies.
Related issue(s)
Closes https://github.com/ory-corp/cloud/issues/2173
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments
I don't like my solution too much, it feels like a hack. Since I'm not too familiar with the codebase, I didn't want to make too many changes. I'm open to suggestions. I was thinking that perhaps instead of doing this in
submitFlow(pseudocode):we could do:
This would also help avoid that minor breaking change.