fix: regenerate csrf if verification flow expired

ory · Sep 2, 2022 · 82de086 · 82de086
1 parent aee2b1e
commit 82de086
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/selfservice/flow/verification/error.go b/selfservice/flow/verification/error.go
@@ -28,6 +28,7 @@ type (
 		errorx.ManagementProvider
 		x.WriterProvider
 		x.LoggingProvider
+		x.CSRFProvider
 		x.CSRFTokenGeneratorProvider
 		config.Provider
 		FlowPersistenceProvider
@@ -68,7 +69,7 @@ func (s *ErrorHandler) WriteFlowError(
 	if e := new(flow.ExpiredError); errors.As(err, &e) {
 		// create new flow because the old one is not valid
 		a, err := FromOldFlow(s.d.Config(r.Context()), s.d.Config(r.Context()).SelfServiceFlowVerificationRequestLifespan(),
-			s.d.GenerateCSRFToken(r), r, s.d.VerificationStrategies(r.Context()), f)
+			s.d.CSRFHandler().RegenerateToken(w, r), r, s.d.VerificationStrategies(r.Context()), f)
 		if err != nil {
 			// failed to create a new session and redirect to it, handle that error as a new one
 			s.WriteFlowError(w, r, f, group, err)

diff --git a/selfservice/strategy/link/strategy_verification_test.go b/selfservice/strategy/link/strategy_verification_test.go
@@ -208,7 +208,7 @@ func TestVerification(t *testing.T) {
 		assert.Equal(t, "The verification token is invalid or has already been used. Please retry the flow.", sr.Ui.Messages[0].Text)
 	})
 
-	t.Run("description=should not be able to use an outdated link", func(t *testing.T) {
+	t.Run("description=should not be able to request link with an outdated flow", func(t *testing.T) {
 		conf.MustSet(config.ViperKeySelfServiceVerificationRequestLifespan, time.Millisecond*200)
 		t.Cleanup(func() {
 			conf.MustSet(config.ViperKeySelfServiceVerificationRequestLifespan, time.Minute)
@@ -226,7 +226,7 @@ func TestVerification(t *testing.T) {
 		assert.Contains(t, res.Request.URL.String(), conf.SelfServiceFlowVerificationUI().String())
 	})
 
-	t.Run("description=should not be able to use an outdated flow", func(t *testing.T) {
+	t.Run("description=should not be able to use link with an outdated flow", func(t *testing.T) {
 		conf.MustSet(config.ViperKeySelfServiceVerificationRequestLifespan, time.Millisecond*200)
 		t.Cleanup(func() {
 			conf.MustSet(config.ViperKeySelfServiceVerificationRequestLifespan, time.Minute)
@@ -244,6 +244,8 @@ func TestVerification(t *testing.T) {
 
 		time.Sleep(time.Millisecond * 201)
 
+		//Clear cookies as link might be opened in another browser
+		c = testhelpers.NewClientWithCookies(t)
 		res, err := c.Get(verificationLink)
 		require.NoError(t, err)