As part of this change, fetching a settings flow over the public API …

…no longer requires Anti-CSRF cookies to be sent.

Partially closes #635

BREAKING CHANGE: Wording has changed from "Self-Service Settings Request" to "Self-Service Settings Flow" to follow community feedback and practice already applied in the documentation.

This patch renames several important settings flow endpoints:

- `/self-service/browser/flows/settings` is now `/self-service/settings/browser` without functional changes.
- `/self-service/browser/flows/requests/settings?request=abcd` is now `/self-service/settings/flows?id=abcd` and no longer needs anti-CSRF cookies to be available.

Additionally, the URL for completing the password, profile, and oidc settings method has been moved. Given that this endpoint is typically not manually called, you can probably ignore this change:

- `/self-service/browser/flows/login/strategies/password?request=abcd` is now `/self-service/login/methods/password?flow=abcd` without functional changes.
- `/self-service/browser/flows/strategies/oidc?request=abcd` is now `/self-service/methods/oidc?flow=abcd` without functional changes.
- `/self-service/browser/flows/settings/strategies/profile?request=abcd` is now `/self-service/settings/methods/profile?flow=abcd` without functional changes.

The Settings UI Endpoint no longer receives a `?request=abcde` query parameter but instead a `?flow=abcde` query parameter. Functionality did not change however.

As part of this change SDK methods have been renamed:

```
  const kratos = new CommonApi(config.kratos.public)
  // ...
- kratos.getSelfServiceBrowserSettingsRequest(req.query.request)
+ kratos.getSelfServiceSettingsFlow(req.query.flow)

  // You will most likely not be using this:
  const kratos = new PublicApi(config.kratos.public)
- kratos.completeSelfServiceBrowserSettingsPasswordStrategyFlow //...
- kratos.completeSelfServiceSettingsFlowWithPasswordMethod //..
- kratos.completeSelfServiceBrowserSettingsProfileStrategyFlow //...
- kratos.completeSelfServiceSettingsFlowWithProfileMethod //..
```

This patch requires you to run SQL migrations.

cmd/daemon/serve.go

@@ -136,8 +136,8 @@ func sqa(cmd *cobra.Command, d driver.Driver) *metricsx.Service {
 				session.RouteWhoami,
 				identity.IdentitiesPath,
 				profile.PublicSettingsProfilePath,
-				settings.PublicPath,
-				settings.PublicRequestPath,
+				settings.RouteInitBrowserFlow,
+				settings.RouteGetFlow,
 				profile.PublicSettingsProfilePath,
 				verification.PublicVerificationCompletePath,
 				strings.ReplaceAll(strings.ReplaceAll(verification.PublicVerificationConfirmPath, ":via", "email"), ":code", ""),

driver/configuration/provider.go

@@ -88,7 +88,7 @@ type Provider interface {
 	SelfServiceFlowSettingsPrivilegedSessionMaxAge() time.Duration
 	SelfServiceFlowSettingsAfterHooks(strategy string) []SelfServiceHook
 	SelfServiceFlowSettingsReturnTo(strategy string, defaultReturnTo *url.URL) *url.URL
-	SelfServiceFlowSettingsRequestLifespan() time.Duration
+	SelfServiceFlowSettingsFlowLifespan() time.Duration
 
 	SelfServiceFlowVerificationEnabled() bool
 	SelfServiceFlowVerificationUI() *url.URL

driver/configuration/provider_viper.go

@@ -408,7 +408,7 @@ func (p *ViperProvider) SelfServiceFlowLoginRequestLifespan() time.Duration {
 	return viperx.GetDuration(p.l, ViperKeySelfServiceLoginRequestLifespan, time.Hour)
 }
 
-func (p *ViperProvider) SelfServiceFlowSettingsRequestLifespan() time.Duration {
+func (p *ViperProvider) SelfServiceFlowSettingsFlowLifespan() time.Duration {
 	return viperx.GetDuration(p.l, ViperKeySelfServiceSettingsRequestLifespan, time.Hour)
 }
 

driver/configuration/provider_viper_test.go

@@ -199,7 +199,7 @@ func TestViperProvider(t *testing.T) {
 		})
 
 		t.Run("method=settings", func(t *testing.T) {
-			assert.Equal(t, time.Minute*99, p.SelfServiceFlowSettingsRequestLifespan())
+			assert.Equal(t, time.Minute*99, p.SelfServiceFlowSettingsFlowLifespan())
 			assert.Equal(t, time.Minute*5, p.SelfServiceFlowSettingsPrivilegedSessionMaxAge())
 
 			t.Run("hook=before", func(t *testing.T) {

driver/registry.go

@@ -92,7 +92,7 @@ type Registry interface {
 
 	settings.HandlerProvider
 	settings.ErrorHandlerProvider
-	settings.RequestPersistenceProvider
+	settings.FlowPersistenceProvider
 	settings.StrategyProvider
 
 	login.FlowPersistenceProvider

driver/registry_default.go

@@ -494,7 +494,7 @@ func (m *RegistryDefault) LoginFlowPersister() login.FlowPersister {
 	return m.persister
 }
 
-func (m *RegistryDefault) SettingsRequestPersister() settings.RequestPersister {
+func (m *RegistryDefault) SettingsFlowPersister() settings.FlowPersister {
 	return m.persister
 }
 

driver/registry_default_settings.go

@@ -38,7 +38,7 @@ func (m *RegistryDefault) SettingsHandler() *settings.Handler {
 	return m.selfserviceSettingsHandler
 }
 
-func (m *RegistryDefault) SettingsRequestErrorHandler() *settings.ErrorHandler {
+func (m *RegistryDefault) SettingsFlowErrorHandler() *settings.ErrorHandler {
 	if m.selfserviceSettingsErrorHandler == nil {
 		m.selfserviceSettingsErrorHandler = settings.NewErrorHandler(m, m.c)
 	}

internal/faker.go

@@ -117,15 +117,15 @@ func RegisterFakes() {
 	}
 
 	if err := faker.AddProvider("settings_flow_methods", func(v reflect.Value) (interface{}, error) {
-		var methods = make(map[string]*settings.RequestMethod)
+		var methods = make(map[string]*settings.FlowMethod)
 		for _, ct := range []string{settings.StrategyProfile, string(identity.CredentialsTypePassword), string(identity.CredentialsTypeOIDC)} {
 			var f form.HTMLForm
 			if err := faker.FakeData(&f); err != nil {
 				return nil, err
 			}
-			methods[ct] = &settings.RequestMethod{
+			methods[ct] = &settings.FlowMethod{
 				Method: ct,
-				Config: &settings.RequestMethodConfig{RequestMethodConfigurator: &f},
+				Config: &settings.FlowMethodConfig{FlowMethodConfigurator: &f},
 			}
 		}
 		return methods, nil