fix: don't return nil if code is invalid

ory · Dec 13, 2023 · ad89109 · ad89109
1 parent 3860705
commit ad89109
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/selfservice/strategy/code/strategy_recovery.go b/selfservice/strategy/code/strategy_recovery.go
@@ -254,8 +254,12 @@ func (s *Strategy) recoveryUseCode(w http.ResponseWriter, r *http.Request, body
 			return s.retryRecoveryFlow(w, r, f.Type, RetryWithError(err))
 		}
 
-		// No error
-		return nil
+		if f.Type == flow.TypeBrowser && !x.IsJSONRequest(r) {
+			http.Redirect(w, r, f.AppendTo(s.deps.Config().SelfServiceFlowRecoveryUI(r.Context())).String(), http.StatusSeeOther)
+		} else {
+			s.deps.Writer().Write(w, r, f)
+		}
+		return errors.WithStack(flow.ErrCompletedByStrategy)
 	} else if err != nil {
 		return s.retryRecoveryFlow(w, r, f.Type, RetryWithError(err))
 	}

diff --git a/selfservice/strategy/code/strategy_recovery_test.go b/selfservice/strategy/code/strategy_recovery_test.go
@@ -1597,7 +1597,7 @@ func TestRecovery_WithContinueWith(t *testing.T) {
 			t.Run("type="+testCase.ClientType.String(), func(t *testing.T) {
 				recoveryEmail := testhelpers.RandomEmail()
 				createIdentityToRecover(t, reg, recoveryEmail)
-				conf.MustSet(ctx, config.ViperKeySelfServiceRecoveryRequestLifespan, time.Millisecond*10)
+				conf.MustSet(ctx, config.ViperKeySelfServiceRecoveryRequestLifespan, time.Millisecond*100)
 				t.Cleanup(func() {
 					conf.MustSet(ctx, config.ViperKeySelfServiceRecoveryRequestLifespan, time.Minute)
 				})
@@ -1611,15 +1611,15 @@ func TestRecovery_WithContinueWith(t *testing.T) {
 					fallthrough
 				case RecoveryClientTypeSPA:
 					rs = testhelpers.GetRecoveryFlow(t, c, public)
-					time.Sleep(time.Millisecond * 11)
+					time.Sleep(time.Millisecond * 110)
 					res, err = c.PostForm(rs.Ui.Action, url.Values{"email": {recoveryEmail}, "method": {"code"}})
 					require.NoError(t, err)
 					assert.EqualValues(t, http.StatusOK, res.StatusCode)
 					assert.NotContains(t, res.Request.URL.String(), "flow="+rs.Id)
 					assert.Contains(t, res.Request.URL.String(), conf.SelfServiceFlowRecoveryUI(ctx).String())
 				case RecoveryClientTypeAPI:
 					rs = testhelpers.InitializeRecoveryFlowViaAPI(t, c, public)
-					time.Sleep(time.Millisecond * 11)
+					time.Sleep(time.Millisecond * 110)
 					form := testhelpers.EncodeFormAsJSON(t, true, url.Values{"email": {recoveryEmail}, "method": {"code"}})
 					res, err = c.Post(rs.Ui.Action, "application/json", bytes.NewBufferString(form))
 					require.NoError(t, err)

diff --git a/selfservice/strategy/code/strategy_verification.go b/selfservice/strategy/code/strategy_verification.go
@@ -236,8 +236,12 @@ func (s *Strategy) verificationUseCode(w http.ResponseWriter, r *http.Request, c
 			return s.retryVerificationFlowWithError(w, r, f.Type, err)
 		}
 
-		// No error
-		return nil
+		if x.IsBrowserRequest(r) {
+			http.Redirect(w, r, f.AppendTo(s.deps.Config().SelfServiceFlowVerificationUI(r.Context())).String(), http.StatusSeeOther)
+		} else {
+			s.deps.Writer().Write(w, r, f)
+		}
+		return errors.WithStack(flow.ErrCompletedByStrategy)
 	} else if err != nil {
 		return s.retryVerificationFlowWithError(w, r, f.Type, err)
 	}