fix: Do not send session after registration without hook

[meyfa]

This fixes the registration hooks to not include a session property in the response for API and SPA flows if there is no "session" hook configured. This new behavior matches up with pre-existing documentation.

Related issue(s)

Fixes #2093

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

• Since the presence of the "session" hook determines whether a valid session will be created, checking for that works well here. I do not know whether there is a more explicit way of verifying session validity that does not depend on the config.
• I would have liked to use the hook.KeySessionIssuer constant but that resulted in a circular import.
• No idea what to do about the session being passed to ContentNegotiationRedirection.

[aeneasr]

Thank you! This looks good to merge! I made one little change because we can actually just omit the session in the registration hook handler. If a session is issued by the session issuer, the flow is completely aborted, meaning that we never end up at that linked statement :)

[meyfa]

Thanks for the feedback!

we can actually just omit the session in the registration hook handler

I am not sure this is true, judging from the failing test case?

registration_test.go:539: 
    	Error Trace:	registration_test.go:539
    	Error:      	Should NOT be empty, but was 
    	Test:       	TestRegistration/case=registration/case=should_pass_and_set_up_a_session/type=spa

[meyfa]

Perhaps there needs to be another check in session_issuer.go, similar to the one if a.Type == flow.TypeAPI {, but for SPA (x.IsJSONRequest(r)). Would that help?

[aeneasr]

Sorry my bad! I worked on it but had to leave. I’ll push my changes later :)

[aeneasr]

Thank you @meyfa for report & fix :)

[meyfa]

Thank you so much for making this such a quick process & being super helpful! :)

[vinckr]

Hello @meyfa
Congrats on merging your first PR in Ory 🎉 !
Your contribution is helping secure millions of identities around the globe 🌏
As a small token of appreciation we send all our first time contributors a gift package to welcome them to the community.
Please drop me an email to claim your Ory swag!