Wikia · adpaste · Sep 4, 2024 · Aug 30, 2024 · Sep 4, 2024
diff --git a/driver/config/config.go b/driver/config/config.go
@@ -139,6 +139,7 @@ const (
 	ViperKeySelfServiceLoginRequestLifespan                  = "selfservice.flows.login.lifespan"
 	ViperKeySelfServiceLoginAfter                            = "selfservice.flows.login.after"
 	ViperKeySelfServiceLoginBeforeHooks                      = "selfservice.flows.login.before.hooks"
+	ViperKeySelfServiceLoginAfterSubmitHooks                 = "selfservice.flows.login.after_submit.hooks"
 	ViperKeySelfServiceErrorUI                               = "selfservice.flows.error.ui_url"
 	ViperKeySelfServiceLogoutBrowserDefaultReturnTo          = "selfservice.flows.logout.after." + DefaultBrowserReturnURL
 	ViperKeySelfServiceSettingsURL                           = "selfservice.flows.settings.ui_url"
@@ -702,6 +703,10 @@ func (p *Config) SelfServiceFlowLoginBeforeHooks(ctx context.Context) []SelfServ
 	return p.selfServiceHooks(ctx, ViperKeySelfServiceLoginBeforeHooks)
 }
 
+func (p *Config) SelfServiceFlowLoginAfterSubmitHooks(ctx context.Context) []SelfServiceHook {
+	return p.selfServiceHooks(ctx, ViperKeySelfServiceLoginAfterSubmitHooks)
+}
+
 func (p *Config) SelfServiceFlowRecoveryBeforeHooks(ctx context.Context) []SelfServiceHook {
 	return p.selfServiceHooks(ctx, ViperKeySelfServiceRecoveryBeforeHooks)
 }

diff --git a/driver/registry_default_login.go b/driver/registry_default_login.go
@@ -27,6 +27,15 @@ func (m *RegistryDefault) PreLoginHooks(ctx context.Context) (b []login.PreHookE
 	return
 }
 
+func (m *RegistryDefault) AfterSubmitLoginHooks(ctx context.Context) (b []login.AfterSubmitHookExecutor) {
+	for _, v := range m.getHooks("", m.Config().SelfServiceFlowLoginAfterSubmitHooks(ctx)) {
+		if hook, ok := v.(login.AfterSubmitHookExecutor); ok {
+			b = append(b, hook)
+		}
+	}
+	return
+}
+
 func (m *RegistryDefault) PostLoginHooks(ctx context.Context, credentialsType identity.CredentialsType) (b []login.PostHookExecutor) {
 	for _, v := range m.getHooks(string(credentialsType), m.Config().SelfServiceFlowLoginAfterHooks(ctx, string(credentialsType))) {
 		if hook, ok := v.(login.PostHookExecutor); ok {

diff --git a/embedx/config.schema.json b/embedx/config.schema.json
@@ -1309,6 +1309,15 @@
                 },
                 "after": {
                   "$ref": "#/definitions/selfServiceAfterLogin"
+                },
+                "after_submit": {
+                  "type": "object",
+                  "additionalProperties": false,
+                  "properties": {
+                    "hooks": {
+                      "$ref": "#/definitions/selfServiceHooks"
+                    }
+                  }
                 }
               }
             },

diff --git a/internal/testhelpers/selfservice.go b/internal/testhelpers/selfservice.go
@@ -81,6 +81,50 @@ func TestSelfServicePreHook(
 	}
 }
 
+func TestSelfServiceAfterSubmitHook(
+	configKey string,
+	makeRequestPost func(t *testing.T, ts *httptest.Server, asAPI bool, query url.Values) (*http.Response, string),
+	newServer func(t *testing.T) *httptest.Server,
+	conf *config.Config,
+) func(t *testing.T) {
+	ctx := context.Background()
+	return func(t *testing.T) {
+		t.Run("case=pass without hooks", func(t *testing.T) {
+			t.Cleanup(SelfServiceHookConfigReset(t, conf))
+
+			res, _ := makeRequestPost(t, newServer(t), false, url.Values{})
+			assert.EqualValues(t, http.StatusOK, res.StatusCode)
+		})
+
+		t.Run("case=pass if hooks pass", func(t *testing.T) {
+			t.Cleanup(SelfServiceHookConfigReset(t, conf))
+			conf.MustSet(ctx, configKey, []config.SelfServiceHook{{Name: "err", Config: []byte(`{}`)}})
+
+			res, _ := makeRequestPost(t, newServer(t), false, url.Values{})
+			assert.EqualValues(t, http.StatusOK, res.StatusCode)
+		})
+
+		t.Run("case=err if hooks err", func(t *testing.T) {
+			t.Cleanup(SelfServiceHookConfigReset(t, conf))
+			conf.MustSet(ctx, configKey, []config.SelfServiceHook{{Name: "err", Config: []byte(`{"ExecuteAfterSubmitLoginHook": "err"}`)}})
+
+			res, body := makeRequestPost(t, newServer(t), false, url.Values{})
+			assert.EqualValues(t, http.StatusInternalServerError, res.StatusCode, "%s", body)
+			assert.EqualValues(t, "err", body)
+		})
+
+		t.Run("case=abort if hooks aborts", func(t *testing.T) {
+			t.Cleanup(SelfServiceHookConfigReset(t, conf))
+			conf.MustSet(ctx, configKey, []config.SelfServiceHook{{Name: "err", Config: []byte(`{"ExecuteAfterSubmitLoginHook": "abort"}`)}})
+
+			res, body := makeRequestPost(t, newServer(t), false, url.Values{})
+			assert.EqualValues(t, http.StatusOK, res.StatusCode)
+			assert.Empty(t, body)
+		})
+
+	}
+}
+
 func SelfServiceHookCreateFakeIdentity(t *testing.T, reg driver.Registry) *identity.Identity {
 	i := SelfServiceHookFakeIdentity(t)
 	require.NoError(t, reg.IdentityManager().Create(context.Background(), i))
@@ -102,6 +146,7 @@ func SelfServiceHookConfigReset(t *testing.T, conf *config.Config) func() {
 		conf.MustSet(ctx, config.ViperKeySelfServiceLoginAfter, nil)
 		conf.MustSet(ctx, config.ViperKeySelfServiceLoginAfter+".hooks", nil)
 		conf.MustSet(ctx, config.ViperKeySelfServiceLoginBeforeHooks, nil)
+		conf.MustSet(ctx, config.ViperKeySelfServiceLoginAfterSubmitHooks, nil)
 		conf.MustSet(ctx, config.ViperKeySelfServiceRecoveryAfter, nil)
 		conf.MustSet(ctx, config.ViperKeySelfServiceRecoveryAfter+".hooks", nil)
 		conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationAfter, nil)
@@ -185,6 +230,10 @@ func SelfServiceMakeLoginPostHookRequest(t *testing.T, ts *httptest.Server, asAP
 	return SelfServiceMakeHookRequest(t, ts, "/login/post", asAPI, query)
 }
 
+func SelfServiceMakeLoginAfterSubmitHookRequest(t *testing.T, ts *httptest.Server, asAPI bool, query url.Values) (*http.Response, string) {
+	return SelfServiceMakeHookRequest(t, ts, "/login/submit", asAPI, query)
+}
+
 func SelfServiceMakeRegistrationPreHookRequest(t *testing.T, ts *httptest.Server) (*http.Response, string) {
 	return SelfServiceMakeHookRequest(t, ts, "/registration/pre", false, url.Values{})
 }

diff --git a/selfservice/flow/login/flow.go b/selfservice/flow/login/flow.go
@@ -155,6 +155,8 @@ type Flow struct {
 
 	// ReturnToVerification contains the redirect URL for the verification flow.
 	ReturnToVerification string `json:"-" db:"-"`
+
+	isAccountLinkingFlow bool `json:"-" db:"-"`
 }
 
 var _ flow.Flow = new(Flow)

diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go
@@ -118,6 +118,12 @@ func WithFormErrorMessage(messages []text.Message) FlowOption {
 	}
 }
 
+func WithIsAccountLinking() FlowOption {
+	return func(f *Flow) {
+		f.isAccountLinkingFlow = true
+	}
+}
+
 func (h *Handler) NewLoginFlow(w http.ResponseWriter, r *http.Request, ft flow.Type, opts ...FlowOption) (*Flow, *session.Session, error) {
 	conf := h.d.Config()
 	f, err := NewFlow(conf, conf.SelfServiceFlowLoginRequestLifespan(r.Context()), h.d.GenerateCSRFToken(r), r, ft)
@@ -226,7 +232,7 @@ preLoginHook:
 					// Refreshing takes precedence over identifier_first auth which can not be a refresh flow.
 					// Therefor this comes first.
 					populateErr = strategy.PopulateLoginMethodFirstFactorRefresh(r, f)
-				case h.d.Config().SelfServiceLoginFlowIdentifierFirstEnabled(r.Context()):
+				case h.d.Config().SelfServiceLoginFlowIdentifierFirstEnabled(r.Context()) && !f.isAccountLinkingFlow:
 					populateErr = strategy.PopulateLoginMethodIdentifierFirstIdentification(r, f)
 				default:
 					populateErr = strategy.PopulateLoginMethodFirstFactor(r, f)
@@ -846,6 +852,11 @@ func (h *Handler) updateLoginFlow(w http.ResponseWriter, r *http.Request, _ http
 	}
 
 continueLogin:
+	if err := h.d.LoginHookExecutor().AfterSubmitLoginHook(w, r, f); err != nil {
+		h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, node.DefaultGroup, err)
+		return
+	}
+
 	if err := f.Valid(); err != nil {
 		h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, node.DefaultGroup, err)
 		return

diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go
@@ -33,12 +33,17 @@ type (
 		ExecuteLoginPreHook(w http.ResponseWriter, r *http.Request, a *Flow) error
 	}
 
+	AfterSubmitHookExecutor interface {
+		ExecuteAfterSubmitLoginHook(w http.ResponseWriter, r *http.Request, a *Flow) error
+	}
+
 	PostHookExecutor interface {
 		ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session) error
 	}
 
 	HooksProvider interface {
 		PreLoginHooks(ctx context.Context) []PreHookExecutor
+		AfterSubmitLoginHooks(ctx context.Context) []AfterSubmitHookExecutor
 		PostLoginHooks(ctx context.Context, credentialsType identity.CredentialsType) []PostHookExecutor
 	}
 )
@@ -334,6 +339,16 @@ func (e *HookExecutor) PostLoginHook(
 	return nil
 }
 
+func (e *HookExecutor) AfterSubmitLoginHook(w http.ResponseWriter, r *http.Request, a *Flow) error {
+	for _, executor := range e.d.AfterSubmitLoginHooks(r.Context()) {
+		if err := executor.ExecuteAfterSubmitLoginHook(w, r, a); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (e *HookExecutor) PreLoginHook(w http.ResponseWriter, r *http.Request, a *Flow) error {
 	for _, executor := range e.d.PreLoginHooks(r.Context()) {
 		if err := executor.ExecuteLoginPreHook(w, r, a); err != nil {

diff --git a/selfservice/flow/login/hook_test.go b/selfservice/flow/login/hook_test.go
@@ -56,6 +56,14 @@ func TestLoginExecutor(t *testing.T) {
 					}
 				})
 
+				router.GET("/login/submit", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+					loginFlow, err := login.NewFlow(conf, time.Minute, "", r, ft)
+					require.NoError(t, err)
+					if testhelpers.SelfServiceHookLoginErrorHandler(t, w, r, reg.LoginHookExecutor().AfterSubmitLoginHook(w, r, loginFlow)) {
+						_, _ = w.Write([]byte("ok"))
+					}
+				})
+
 				router.GET("/login/post", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 					loginFlow, err := login.NewFlow(conf, time.Minute, "", r, ft)
 					require.NoError(t, err)
@@ -357,6 +365,15 @@ func TestLoginExecutor(t *testing.T) {
 					},
 					conf,
 				))
+
+				t.Run("method=AfterSubmitHook", testhelpers.TestSelfServiceAfterSubmitHook(
+					config.ViperKeySelfServiceLoginAfterSubmitHooks,
+					testhelpers.SelfServiceMakeLoginAfterSubmitHookRequest,
+					func(t *testing.T) *httptest.Server {
+						return newServer(t, flow.TypeAPI, nil)
+					},
+					conf,
+				))
 			})
 
 			t.Run("type=browser", func(t *testing.T) {
@@ -368,6 +385,15 @@ func TestLoginExecutor(t *testing.T) {
 					},
 					conf,
 				))
+
+				t.Run("method=AfterSubmitHook", testhelpers.TestSelfServiceAfterSubmitHook(
+					config.ViperKeySelfServiceLoginAfterSubmitHooks,
+					testhelpers.SelfServiceMakeLoginAfterSubmitHookRequest,
+					func(t *testing.T) *httptest.Server {
+						return newServer(t, flow.TypeBrowser, nil)
+					},
+					conf,
+				))
 			})
 
 			t.Run("requiresAAL2 should return true if there's an error", func(t *testing.T) {

diff --git a/selfservice/hook/error.go b/selfservice/hook/error.go
@@ -72,6 +72,10 @@ func (e Error) ExecuteLoginPreHook(w http.ResponseWriter, r *http.Request, a *lo
 	return e.err("ExecuteLoginPreHook", login.ErrHookAbortFlow)
 }
 
+func (e Error) ExecuteAfterSubmitLoginHook(w http.ResponseWriter, r *http.Request, a *login.Flow) error {
+	return e.err("ExecuteAfterSubmitLoginHook", login.ErrHookAbortFlow)
+}
+
 func (e Error) ExecuteRegistrationPreHook(w http.ResponseWriter, r *http.Request, a *registration.Flow) error {
 	return e.err("ExecuteRegistrationPreHook", registration.ErrHookAbortFlow)
 }

diff --git a/selfservice/hook/web_hook.go b/selfservice/hook/web_hook.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"net/http"
 	"net/textproto"
+	"net/url"
 	"time"
 
 	"github.com/dgraph-io/ristretto"
@@ -84,6 +85,7 @@ type (
 		RequestCookies map[string]string  `json:"request_cookies"`
 		Identity       *identity.Identity `json:"identity,omitempty"`
 		Session        *session.Session   `json:"session,omitempty"`
+		Fields         url.Values         `json:"fields,omitempty"`
 	}
 
 	WebHook struct {
@@ -134,6 +136,25 @@ func (e *WebHook) ExecuteLoginPreHook(_ http.ResponseWriter, req *http.Request,
 	})
 }
 
+func (e *WebHook) ExecuteAfterSubmitLoginHook(_ http.ResponseWriter, req *http.Request, flow *login.Flow) error {
+	if req.Body != nil {
+		if err := req.ParseForm(); err != nil {
+			return errors.WithStack(err)
+		}
+	}
+
+	return otelx.WithSpan(req.Context(), "selfservice.hook.WebHook.ExecuteAfterSubmitLoginHook", func(ctx context.Context) error {
+		return e.execute(ctx, &templateContext{
+			Flow:           flow,
+			RequestHeaders: req.Header,
+			RequestMethod:  req.Method,
+			RequestURL:     x.RequestURL(req).String(),
+			RequestCookies: cookies(req),
+			Fields:         req.Form,
+		})
+	})
+}
+
 func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request, _ node.UiNodeGroup, flow *login.Flow, session *session.Session) error {
 	return otelx.WithSpan(req.Context(), "selfservice.hook.WebHook.ExecuteLoginPostHook", func(ctx context.Context) error {
 		return e.execute(ctx, &templateContext{