docs: clarify api flow use

ory · Aug 25, 2020 · a38b4a1 · a38b4a1
1 parent 7e367e7
commit a38b4a1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go
@@ -99,10 +99,13 @@ type initializeSelfServiceBrowserLoginFlow struct {
 //
 // To fetch an existing login flow call `/self-service/login/flows?flow=<flow_id>`.
 //
-// :::note
+// :::warning
 //
-// This endpoint is NOT INTENDED for browser applications (Chrome, Firefox, ...). We recommend using this endpoint
-// for server-side browser applications and single page apps (SPA).
+// You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+// Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+// you vulnerable to a variety of CSRF attacks, including CSRF login attacks.
+//
+// This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
 //
 // :::
 //
@@ -151,12 +154,8 @@ func (h *Handler) initAPIFlow(w http.ResponseWriter, r *http.Request, _ httprout
 // exists already, the browser will be redirected to `urls.default_redirect_url` unless the query parameter
 // `?refresh=true` was set.
 //
-// :::note
-//
 // This endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...).
 //
-// :::
-//
 // More information can be found at [ORY Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).
 //
 //     Schemes: http, https

diff --git a/selfservice/flow/registration/handler.go b/selfservice/flow/registration/handler.go
@@ -89,10 +89,13 @@ func (h *Handler) NewRegistrationFlow(w http.ResponseWriter, r *http.Request, ft
 //
 // To fetch an existing registration flow call `/self-service/registration/flows?flow=<flow_id>`.
 //
-// :::note
+// :::warning
+//
+// You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+// Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+// you vulnerable to a variety of CSRF attacks.
 //
-// This endpoint is NOT INTENDED for browser applications (Chrome, Firefox, ...). We recommend using this endpoint
-// for server-side browser applications and single page apps (SPA).
+// This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
 //
 // :::
 //