-
Notifications
You must be signed in to change notification settings - Fork 969
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: don't inherit flow type in recovery and verification flows #2250
fix: don't inherit flow type in recovery and verification flows #2250
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2250 +/- ##
=======================================
Coverage 75.88% 75.89%
=======================================
Files 298 298
Lines 15917 15923 +6
=======================================
+ Hits 12079 12085 +6
Misses 2979 2979
Partials 859 859
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For web-based flows we have a test that recovers / verifies an account with an expired link here:
kratos/test/e2e/cypress/integration/profiles/recovery/recovery/errors.spec.ts
Lines 69 to 82 in c5a04b5
it('is unable to recover the email address if the code is expired', () => { | |
cy.shortLinkLifespan() | |
const identity = gen.identityWithWebsite() | |
cy.registerApi(identity) | |
cy.recoverApi({ email: identity.email }) | |
cy.recoverEmailButExpired({ expect: { email: identity.email } }) | |
cy.get('[data-testid="ui/message/4060005"]').should( | |
'contain.text', | |
'The recovery flow expired' | |
) | |
cy.noSession() | |
}) |
I am under the impression that this test is actually recovering the account using an API flow, and then testing for this bug. So it appears that this bug is actually not happening on account recovery, only on verification?
If you (more or less) copy the test code of recovery to verification as well:
kratos/test/e2e/cypress/integration/profiles/verification/verify/errors.spec.ts
Lines 50 to 63 in c5a04b5
it('is unable to verify the email address if the code is expired', () => { | |
cy.shortLinkLifespan() | |
cy.visit(verification) | |
cy.get('input[name="email"]').type(identity.email) | |
cy.get('button[value="link"]').click() | |
cy.get('[data-testid="ui/message/1080001"]').should( | |
'contain.text', | |
'An email containing a verification' | |
) | |
cy.verifyEmailButExpired({ expect: { email: identity.email } }) | |
}) |
we would have a full e2e test covering this use case. Could you please add that?
It is a bit mysterious to me though why recovery seems to pass without our changes? But I do remember that I at one point introduced a fix for this...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks solid IMO.
@@ -402,6 +402,52 @@ Cypress.Commands.add('recoverApi', ({ email, returnTo }) => { | |||
}) | |||
}) | |||
|
|||
Cypress.Commands.add('verificationApiExpired', ({ email, returnTo }) => { | |||
cy.shortVerificationLifespan() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will affect following tests right? Can you maybe also after creating the expired flow, reset the config?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I could, but we do reset it for each test case here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, then this is fine 👍
Thank you! I wanted to add a little test to recovery as well and while doing so I realized that the bug is still there. You can find my fixes here: 8d191d5 The problem was basically the redirection logic as it was still using the old flow type, hence redirecting to a JSON endpoint! |
Co-authored-by: Patrik <[email protected]>
Co-authored-by: Patrik <[email protected]>
…2250) Closes ory#2049 Co-authored-by: Patrik <[email protected]> Co-authored-by: aeneasr <[email protected]> Co-authored-by: Patrik <[email protected]>
Related issue(s)
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further Comments