fix: send 404 instead of null response for unknown verification flows (…

…#2102)

Fixes the verification handler to write the error, instead of nil object, when the flow does not exist. Adds tests for every handler to check proper behavior in that regard.

Closes #2099

selfservice/flow/login/handler_test.go

@@ -557,4 +557,12 @@ func TestGetFlow(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, public.URL+login.RouteInitBrowserFlow+"?return_to=https://www.ory.sh", f.RequestURL)
 	})
+
+	t.Run("case=not found", func(t *testing.T) {
+		client := testhelpers.NewClientWithCookies(t)
+		setupLoginUI(t, client)
+
+		res, _ := x.EasyGet(t, client, public.URL+login.RouteGetFlow+"?id="+x.NewUUID().String())
+		assert.EqualValues(t, http.StatusNotFound, res.StatusCode)
+	})
 }

selfservice/flow/recovery/handler_test.go

@@ -249,4 +249,12 @@ func TestGetFlow(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, public.URL+recovery.RouteInitBrowserFlow+"?return_to=https://www.ory.sh", f.RequestURL)
 	})
+
+	t.Run("case=not found", func(t *testing.T) {
+		client := testhelpers.NewClientWithCookies(t)
+		setupRecoveryTS(t, client)
+
+		res, _ := x.EasyGet(t, client, public.URL+recovery.RouteGetFlow+"?id="+x.NewUUID().String())
+		assert.EqualValues(t, http.StatusNotFound, res.StatusCode)
+	})
 }

selfservice/flow/registration/handler_test.go

@@ -307,4 +307,12 @@ func TestGetFlow(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, public.URL+registration.RouteInitBrowserFlow+"?return_to=https://www.ory.sh", f.RequestURL)
 	})
+
+	t.Run("case=not found", func(t *testing.T) {
+		client := testhelpers.NewClientWithCookies(t)
+		setupRegistrationUI(t, client)
+
+		res, _ := x.EasyGet(t, client, public.URL+registration.RouteGetFlow+"?id="+x.NewUUID().String())
+		assert.EqualValues(t, http.StatusNotFound, res.StatusCode)
+	})
 }

selfservice/flow/settings/handler_test.go

@@ -186,7 +186,7 @@ func TestHandler(t *testing.T) {
 	})
 
 	t.Run("endpoint=fetch", func(t *testing.T) {
-		t.Run("description=fetching a non-existent flow should return a 403 error", func(t *testing.T) {
+		t.Run("description=fetching a non-existent flow should return a 404 error", func(t *testing.T) {
 			_, _, err := testhelpers.NewSDKCustomClient(publicTS, otherUser).V0alpha2Api.GetSelfServiceSettingsFlow(context.Background()).Id("i-do-not-exist").Execute()
 			require.Error(t, err)
 

selfservice/flow/verification/handler.go

@@ -234,7 +234,7 @@ func (h *Handler) fetch(w http.ResponseWriter, r *http.Request, _ httprouter.Par
 	rid := x.ParseUUID(r.URL.Query().Get("id"))
 	req, err := h.d.VerificationFlowPersister().GetVerificationFlow(r.Context(), rid)
 	if err != nil {
-		h.d.Writer().Write(w, r, req)
+		h.d.Writer().WriteError(w, r, err)
 		return
 	}
 

selfservice/flow/verification/handler_test.go

@@ -132,6 +132,7 @@ func TestGetFlow(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, public.URL+verification.RouteInitBrowserFlow+"?return_to=https://www.ory.sh", f.RequestURL)
 	})
+
 	t.Run("case=relative redirect when self-service verification ui is a relative URL", func(t *testing.T) {
 		router := x.NewRouterPublic()
 		ts, _ := testhelpers.NewKratosServerWithRouters(t, reg, router, x.NewRouterAdmin())
@@ -142,4 +143,12 @@ func TestGetFlow(t *testing.T) {
 			testhelpers.GetSelfServiceRedirectLocation(t, ts.URL+verification.RouteInitBrowserFlow),
 		)
 	})
+
+	t.Run("case=not found", func(t *testing.T) {
+		client := testhelpers.NewClientWithCookies(t)
+		_ = setupVerificationUI(t, client)
+
+		res, _ := x.EasyGet(t, client, public.URL+verification.RouteGetFlow+"?id="+x.NewUUID().String())
+		assert.EqualValues(t, http.StatusNotFound, res.StatusCode)
+	})
 }