From d4531f1093bf1bd513955d6a3185bb3b99bdf62b Mon Sep 17 00:00:00 2001
From: Alano Terblanche <alano@ory.sh>
Date: Mon, 14 Feb 2022 14:46:46 +0100
Subject: [PATCH 1/2] test: browser login redirect status code 303

---
 selfservice/flow/login/handler_test.go | 30 ++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/selfservice/flow/login/handler_test.go b/selfservice/flow/login/handler_test.go
index d19c7844b22d..5a2747bebd53 100644
--- a/selfservice/flow/login/handler_test.go
+++ b/selfservice/flow/login/handler_test.go
@@ -462,6 +462,36 @@ func TestFlowLifecycle(t *testing.T) {
 				assertion(body, true, false)
 				assert.Contains(t, res.Request.URL.String(), loginTS.URL)
 			})
+
+			t.Run("case=redirects with 303", func(t *testing.T) {
+				c := http.DefaultClient
+				// don't get the reference, instead copy the values so we don't alter the client directly.
+				*c = *ts.Client()
+				// prevent the redirect
+				c.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+					return http.ErrUseLastResponse
+				}
+				req, err := http.NewRequest("GET", ts.URL+login.RouteInitBrowserFlow, nil)
+				require.NoError(t, err)
+
+				res, err := c.Do(req)
+				require.NoError(t, err)
+				// here we check that the redirect status is 303
+				require.Equal(t, http.StatusSeeOther, res.StatusCode)
+				defer res.Body.Close()
+			})
+
+			t.Run("case=test client isn't altered", func(t *testing.T) {
+				c := ts.Client()
+				req, err := http.NewRequest("GET", ts.URL+login.RouteInitBrowserFlow, nil)
+				require.NoError(t, err)
+
+				res, err := c.Do(req)
+				require.NoError(t, err)
+				// here we check that the redirect status is 303
+				require.Equal(t, http.StatusOK, res.StatusCode)
+				defer res.Body.Close()
+			})
 		})
 		t.Run("case=relative redirect when self-service login ui is a relative URL", func(t *testing.T) {
 			reg.Config(context.Background()).MustSet(config.ViperKeySelfServiceLoginUI, "/login-ts")

From b12a7d5b9ef14a8355e223e8dd254d74299adac5 Mon Sep 17 00:00:00 2001
From: Alano Terblanche <alano@ory.sh>
Date: Mon, 14 Feb 2022 14:58:40 +0100
Subject: [PATCH 2/2] test: logout redirect status code 303

---
 selfservice/flow/login/handler_test.go  | 13 +------------
 selfservice/flow/logout/handler_test.go | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/selfservice/flow/login/handler_test.go b/selfservice/flow/login/handler_test.go
index 5a2747bebd53..f0d498176086 100644
--- a/selfservice/flow/login/handler_test.go
+++ b/selfservice/flow/login/handler_test.go
@@ -465,7 +465,7 @@ func TestFlowLifecycle(t *testing.T) {
 
 			t.Run("case=redirects with 303", func(t *testing.T) {
 				c := http.DefaultClient
-				// don't get the reference, instead copy the values so we don't alter the client directly.
+				// don't get the reference, instead copy the values, so we don't alter the client directly.
 				*c = *ts.Client()
 				// prevent the redirect
 				c.CheckRedirect = func(req *http.Request, via []*http.Request) error {
@@ -481,17 +481,6 @@ func TestFlowLifecycle(t *testing.T) {
 				defer res.Body.Close()
 			})
 
-			t.Run("case=test client isn't altered", func(t *testing.T) {
-				c := ts.Client()
-				req, err := http.NewRequest("GET", ts.URL+login.RouteInitBrowserFlow, nil)
-				require.NoError(t, err)
-
-				res, err := c.Do(req)
-				require.NoError(t, err)
-				// here we check that the redirect status is 303
-				require.Equal(t, http.StatusOK, res.StatusCode)
-				defer res.Body.Close()
-			})
 		})
 		t.Run("case=relative redirect when self-service login ui is a relative URL", func(t *testing.T) {
 			reg.Config(context.Background()).MustSet(config.ViperKeySelfServiceLoginUI, "/login-ts")
diff --git a/selfservice/flow/logout/handler_test.go b/selfservice/flow/logout/handler_test.go
index 8782791d500a..cb2fee8bb473 100644
--- a/selfservice/flow/logout/handler_test.go
+++ b/selfservice/flow/logout/handler_test.go
@@ -223,4 +223,22 @@ func TestLogout(t *testing.T) {
 		assert.EqualValues(t, http.StatusUnauthorized, res.StatusCode)
 		assert.EqualValues(t, "No active session was found in this request.", gjson.GetBytes(body, "error.reason").String(), "%s", body)
 	})
+
+	t.Run("case=init logout through browser does 303 redirect", func(t *testing.T) {
+		// init the logout
+		hc, logoutUrl := getLogoutUrl(t)
+		// prevent the redirect, so we can get check the status code
+		hc.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		}
+		// submit the login
+		req, err := http.NewRequest("GET", logoutUrl, nil)
+		require.NoError(t, err)
+
+		res, err := hc.Do(req)
+		require.NoError(t, err)
+		// here we check that the redirect status is 303
+		require.Equal(t, http.StatusSeeOther, res.StatusCode)
+		defer res.Body.Close()
+	})
 }