feat(selfservice/login): enable reauthentication functionality #248
Conversation
# Conflicts: # persistence/sql/persister_login.go
selfservice/flow/login/handler.go
Outdated
| @@ -110,6 +111,12 @@ func (h *Handler) NewLoginRequest(w http.ResponseWriter, r *http.Request, redir | |||
| // 500: genericError | |||
| func (h *Handler) initLoginRequest(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { | |||
| if err := h.NewLoginRequest(w, r, func(a *Request) (string, error) { | |||
| // we assume an error means the user has no session | |||
| if _, err := h.d.SessionManager().FetchFromRequest(r.Context(), w, r); err == nil && r.URL.Query().Get("prompt") == "true" { | |||
There was a problem hiding this comment.
The && doesn't make sense here. Please add a failing test case first.
| } | ||
| t.Run("does set reauth flag on authenticated request", func(t *testing.T) { | ||
| rid := x.NewUUID() | ||
| req := x.NewTestHTTPRequest(t, "GET", ts.URL+login.BrowserLoginPath, nil) |
There was a problem hiding this comment.
| {"GET", login.BrowserLoginPath}, | ||
| t.Run("does not set reauth flag on unauthenticated request", func(t *testing.T) { | ||
| c := ts.Client() | ||
| res, err := c.Get(ts.URL + login.BrowserLoginPath) |
There was a problem hiding this comment.
This should work for both prompt=true and prompt=false and no prompt
| @@ -18,7 +18,8 @@ type ( | |||
| RequestPersister interface { | |||
| CreateLoginRequest(context.Context, *Request) error | |||
| GetLoginRequest(context.Context, uuid.UUID) (*Request, error) | |||
| UpdateLoginRequest(context.Context, uuid.UUID, identity.CredentialsType, *RequestMethod) error | |||
| UpdateLoginRequestMethod(context.Context, uuid.UUID, identity.CredentialsType, *RequestMethod) error | |||
| UpdateLoginRequestReauth(ctx context.Context, id uuid.UUID, reauth bool) error | |||
There was a problem hiding this comment.
Since this is a one-way method (reauth is false by default and can only be set to true) wouldn't it make sense to name this something like MarkLoginRequestForced? Alternatively UpdateLoginRequest(context.Context, *Request).
| @@ -0,0 +1 @@ | |||
| add_column("selfservice_login_requests", "is_reauthentication", "bool", {default: false}) | |||
There was a problem hiding this comment.
I would like to rename this to forced or, alternatively prompt although I think that forced is clearer.
selfservice/flow/login/request.go
Outdated
| @@ -61,6 +65,9 @@ type Request struct { | |||
|
|
|||
| // CSRFToken contains the anti-csrf token associated with this request. | |||
| CSRFToken string `json:"-" db:"csrf_token"` | |||
|
|
|||
| // IsReauthentication stores whether this login request is a reauthenication request. | |||
| IsReauthentication bool `json:"is_reauthentication" db:"is_reauthentication"` | |||
There was a problem hiding this comment.
I think forced is shorter and as concise :)
| }, public) | ||
| c, err := p.OAuth2(context.TODO()) | ||
| require.NoError(t, err) | ||
| return c.AuthCodeURL("state", p.AddAuthCodeURLOptions(r)...) |
There was a problem hiding this comment.
I would rename this function to p.AuthCodeURLOptions because you are returning the options, not adding it to something.
| @@ -456,4 +459,41 @@ func TestStrategy(t *testing.T) { | |||
| aue(t, res, body, "an account with the same identifier (email, phone, username, ...) exists already") | |||
| }) | |||
| }) | |||
|
|
|||
| identity.PrivilegedPoolProvider | ||
| password.HashProvider | ||
| } | ||
| func TestLoginNew(t *testing.T) { |
There was a problem hiding this comment.
Nice refactoring - this looks so much more readable :)
|
ready for review @aeneasr |
Related issue
contributes to #243
Proposed changes
Checklist
vulnerability, I confirm that I got green light (please contact security@ory.sh) from the maintainers to push the changes.
Further comments