fix: explain mitigations in cookie error messages

ory · Jan 5, 2022 · ef4b01a · ef4b01a
1 parent 469a5ed
commit ef4b01a
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/continuity/manager_cookie.go b/continuity/manager_cookie.go
@@ -17,7 +17,7 @@ import (
 )
 
 var _ Manager = new(ManagerCookie)
-var ErrNotResumable = *herodot.ErrBadRequest.WithError("session is not resumable").WithReasonf("No resumable session could be found in the HTTP Header.")
+var ErrNotResumable = *herodot.ErrBadRequest.WithError("no resumable session found").WithReasonf("The browser does not contain the neccesary cookie to resume the session. This is a security violation and was thus blocked. Please clear your browser's cookies and cache and try again!")
 
 const cookieName = "ory_kratos_continuity"
 

diff --git a/continuity/manager_test.go b/continuity/manager_test.go
@@ -130,7 +130,7 @@ func TestManager(t *testing.T) {
 
 						body := ioutilx.MustReadAll(res.Body)
 						require.Equal(t, http.StatusBadRequest, res.StatusCode)
-						assert.Contains(t, gjson.GetBytes(body, "error.reason").String(), "resumable session")
+						assert.Contains(t, gjson.GetBytes(body, "error.reason").String(), continuity.ErrNotResumable.ReasonField)
 					})
 
 					t.Run("case=pause and resume session", func(t *testing.T) {
@@ -174,7 +174,7 @@ func TestManager(t *testing.T) {
 						require.Equal(t, http.StatusBadRequest, res.StatusCode)
 						body := ioutilx.MustReadAll(res.Body)
 						t.Cleanup(func() { require.NoError(t, res.Body.Close()) })
-						assert.Contains(t, gjson.GetBytes(body, "error.reason").String(), "resumable session")
+						assert.Contains(t, gjson.GetBytes(body, "error.reason").String(), continuity.ErrNotResumable.ReasonField)
 					})
 
 					t.Run("case=pause and resume session in the same request", func(t *testing.T) {
@@ -210,7 +210,7 @@ func TestManager(t *testing.T) {
 
 						require.Equal(t, http.StatusBadRequest, res.StatusCode)
 						body := ioutilx.MustReadAll(res.Body)
-						assert.Contains(t, gjson.GetBytes(body, "error.reason").String(), "resumable session")
+						assert.Contains(t, gjson.GetBytes(body, "error.reason").String(), continuity.ErrNotResumable.ReasonField)
 					})
 				})
 			}

diff --git a/x/nosurf.go b/x/nosurf.go
@@ -23,7 +23,7 @@ var (
 				WithID(text.ErrIDCSRF).
 				WithError("the request was rejected to protect you from Cross-Site-Request-Forgery").
 				WithDetail("docs", "https://www.ory.sh/kratos/docs/debug/csrf").
-				WithReason("The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.")
+				WithReason("Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.")
 	ErrGone = herodot.DefaultError{
 		CodeField:    http.StatusGone,
 		StatusField:  http.StatusText(http.StatusGone),