test: login form submission with AAL

ory · Oct 19, 2021 · 4d54fbb · 4d54fbb
1 parent f7d60c0
commit 4d54fbb
Show file tree

Hide file tree

Showing 3 changed files with 269 additions and 148 deletions.
diff --git a/internal/testhelpers/selfservice_login.go b/internal/testhelpers/selfservice_login.go
@@ -10,6 +10,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/kratos/identity"
+	"github.com/ory/x/urlx"
+
 	"github.com/tidwall/gjson"
 
 	"github.com/stretchr/testify/assert"
@@ -45,15 +48,46 @@ func NewLoginUIWith401Response(t *testing.T, c *config.Config) *httptest.Server
 	return ts
 }
 
-func InitializeLoginFlowViaBrowser(t *testing.T, client *http.Client, ts *httptest.Server, forced bool, isSPA bool) *kratos.SelfServiceLoginFlow {
-	publicClient := NewSDKCustomClient(ts, client)
+type initFlowOptions struct {
+	aal identity.AuthenticatorAssuranceLevel
+}
+
+func (o *initFlowOptions) apply(opts []InitFlowWithOption) *initFlowOptions {
+	for _, opt := range opts {
+		opt(o)
+	}
+	return o
+}
+
+func getURLFromInitOptions(ts *httptest.Server, path string, forced bool, opts ...InitFlowWithOption) string {
+	o := new(initFlowOptions).apply(opts)
+	q := url.Values{}
 
-	q := ""
 	if forced {
-		q = "?refresh=true"
+		q.Set("refresh", "true")
 	}
 
-	req, err := http.NewRequest("GET", ts.URL+login.RouteInitBrowserFlow+q, nil)
+	if o.aal != "" {
+		q.Set("aal", string(o.aal))
+	}
+
+	u := urlx.ParseOrPanic(ts.URL + path)
+	u.RawQuery = q.Encode()
+	return u.String()
+}
+
+type InitFlowWithOption func(*initFlowOptions)
+
+func InitFlowWithAAL(aal identity.AuthenticatorAssuranceLevel) InitFlowWithOption {
+	return func(o *initFlowOptions) {
+		o.aal = aal
+	}
+}
+
+func InitializeLoginFlowViaBrowser(t *testing.T, client *http.Client, ts *httptest.Server, forced bool, isSPA bool, opts ...InitFlowWithOption) *kratos.SelfServiceLoginFlow {
+	publicClient := NewSDKCustomClient(ts, client)
+
+	req, err := http.NewRequest("GET", getURLFromInitOptions(ts, login.RouteInitBrowserFlow, forced, opts...), nil)
 	require.NoError(t, err)
 
 	if isSPA {
@@ -77,10 +111,16 @@ func InitializeLoginFlowViaBrowser(t *testing.T, client *http.Client, ts *httpte
 	return rs
 }
 
-func InitializeLoginFlowViaAPI(t *testing.T, client *http.Client, ts *httptest.Server, forced bool) *kratos.SelfServiceLoginFlow {
+func InitializeLoginFlowViaAPI(t *testing.T, client *http.Client, ts *httptest.Server, forced bool, opts ...InitFlowWithOption) *kratos.SelfServiceLoginFlow {
 	publicClient := NewSDKCustomClient(ts, client)
 
-	rs, _, err := publicClient.V0alpha1Api.InitializeSelfServiceLoginFlowWithoutBrowser(context.Background()).Refresh(forced).Execute()
+	o := new(initFlowOptions).apply(opts)
+	req := publicClient.V0alpha1Api.InitializeSelfServiceLoginFlowWithoutBrowser(context.Background()).Refresh(forced)
+	if o.aal != "" {
+		req = req.Aal(string(o.aal))
+	}
+
+	rs, _, err := req.Execute()
 	require.NoError(t, err)
 	assert.Empty(t, rs.Active)
 

diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go
@@ -470,21 +470,26 @@ func (h *Handler) submitFlow(w http.ResponseWriter, r *http.Request, _ httproute
 			goto continueLogin
 		}
 
-		// We are not upgrading AAL, nor are we refreshing. Error!
-		x.AcceptToRedirectOrJSON(w, r, h.d.Writer(), errors.WithStack(ErrAlreadyLoggedIn), h.d.Config(r.Context()).SelfServiceBrowserDefaultReturnTo().String())
+		if x.IsJSONRequest(r) || f.Type == flow.TypeAPI {
+			// We are not upgrading AAL, nor are we refreshing. Error!
+			h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, node.DefaultGroup, errors.WithStack(ErrAlreadyLoggedIn))
+			return
+		}
+
+		http.Redirect(w, r, h.d.Config(r.Context()).SelfServiceBrowserDefaultReturnTo().String(), http.StatusSeeOther)
 		return
 	} else if errors.Is(err, session.ErrNoActiveSessionFound) {
 
 		// Only failure scenario here is if we try to upgrade the session to a higher AAL without actually
 		// having a session.
 		if f.RequestedAAL > identity.AuthenticatorAssuranceLevel1 {
-			h.d.Writer().WriteError(w, r, errors.WithStack(ErrSessionRequiredForHigherAAL))
+			h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, node.DefaultGroup, errors.WithStack(ErrSessionRequiredForHigherAAL))
 			return
 		}
 
 		sess = session.NewInactiveSession()
 	} else {
-		h.d.Writer().WriteError(w, r, err)
+		h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, node.DefaultGroup, err)
 		return
 	}