fix: use correct security annotation

ory · Sep 28, 2020 · c9bebe0 · c9bebe0
1 parent a8a781c
commit c9bebe0
Show file tree

Hide file tree

Showing 9 changed files with 111 additions and 51 deletions.
diff --git a/internal/httpclient/client/public/public_client.go b/internal/httpclient/client/public/public_client.go
diff --git a/internal/httpclient/client/public/whoami_parameters.go b/internal/httpclient/client/public/whoami_parameters.go
diff --git a/selfservice/errorx/handler.go b/selfservice/errorx/handler.go
@@ -6,7 +6,6 @@ import (
 
 	"github.com/julienschmidt/httprouter"
 	"github.com/justinas/nosurf"
-	"github.com/pkg/errors"
 
 	"github.com/ory/herodot"
 
@@ -68,15 +67,12 @@ type getSelfServiceErrorParameters struct {
 	Error string `json:"error"`
 }
 
-// swagger:route GET /self-service/errors common public admin getSelfServiceError
+// swagger:route GET /self-service/errors public admin getSelfServiceError
 //
 // Get User-Facing Self-Service Errors
 //
 // This endpoint returns the error associated with a user-facing self service errors.
 //
-// When accessing this endpoint through ORY Kratos' Public API, ensure that cookies are set as they are required for CSRF to work. To prevent
-// token scanning attacks, the public endpoint does not return 404 status codes.
-//
 // This endpoint supports stub values to help you implement the error UI:
 //
 // - `?error=stub:500` - returns a stub 500 (Internal Server Error) error.
@@ -94,20 +90,20 @@ type getSelfServiceErrorParameters struct {
 //       404: genericError
 //       500: genericError
 func (h *Handler) publicFetchError(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	if err := h.fetchError(w, r, true); err != nil {
+	if err := h.fetchError(w, r); err != nil {
 		h.r.Writer().WriteError(w, r, x.ErrInvalidCSRFToken.WithTrace(err).WithDebugf("%s", err))
 		return
 	}
 }
 
 func (h *Handler) adminFetchError(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	if err := h.fetchError(w, r, false); err != nil {
+	if err := h.fetchError(w, r); err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
 	}
 }
 
-func (h *Handler) fetchError(w http.ResponseWriter, r *http.Request, mustVerify bool) error {
+func (h *Handler) fetchError(w http.ResponseWriter, r *http.Request) error {
 	id := r.URL.Query().Get("error")
 	switch id {
 	case "stub:500":
@@ -120,10 +116,6 @@ func (h *Handler) fetchError(w http.ResponseWriter, r *http.Request, mustVerify
 		return err
 	}
 
-	if mustVerify && !nosurf.VerifyToken(h.csrf(r), es.CSRFToken) {
-		return errors.WithStack(x.ErrInvalidCSRFToken)
-	}
-
 	h.r.Writer().Write(w, r, es)
 	return nil
 }
diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go
@@ -114,7 +114,7 @@ type initializeSelfServiceBrowserLoginFlow struct {
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       200: loginFlow
@@ -161,7 +161,7 @@ func (h *Handler) initAPIFlow(w http.ResponseWriter, r *http.Request, _ httprout
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       302: emptyResponse

diff --git a/selfservice/flow/recovery/handler.go b/selfservice/flow/recovery/handler.go
@@ -84,7 +84,7 @@ func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin) {
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       200: recoveryFlow
@@ -120,7 +120,7 @@ func (h *Handler) initAPIFlow(w http.ResponseWriter, r *http.Request, _ httprout
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       302: emptyResponse

diff --git a/selfservice/flow/registration/handler.go b/selfservice/flow/registration/handler.go
@@ -104,7 +104,7 @@ func (h *Handler) NewRegistrationFlow(w http.ResponseWriter, r *http.Request, ft
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       200: registrationFlow
@@ -140,7 +140,7 @@ func (h *Handler) initApiFlow(w http.ResponseWriter, r *http.Request, ps httprou
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       302: emptyResponse

diff --git a/selfservice/flow/settings/handler.go b/selfservice/flow/settings/handler.go
@@ -127,7 +127,7 @@ func (h *Handler) NewFlow(w http.ResponseWriter, r *http.Request, i *identity.Id
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       200: settingsFlow
@@ -168,7 +168,7 @@ func (h *Handler) initApiFlow(w http.ResponseWriter, r *http.Request, _ httprout
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       302: emptyResponse
@@ -220,7 +220,7 @@ type getSelfServiceSettingsFlowParameters struct {
 //     Schemes: http, https
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Responses:
 //       200: settingsFlow

diff --git a/selfservice/strategy/password/settings.go b/selfservice/strategy/password/settings.go
@@ -105,7 +105,7 @@ func (p *CompleteSelfServiceSettingsFlowWithPasswordMethod) SetFlowID(rid uuid.U
 //     - application/json
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Schemes: http, https
 //

diff --git a/selfservice/strategy/profile/strategy.go b/selfservice/strategy/profile/strategy.go
@@ -147,7 +147,7 @@ func (s *Strategy) PopulateSettingsMethod(r *http.Request, id *identity.Identity
 //     - application/json
 //
 //     Security:
-//     - sessionToken
+//       sessionToken:
 //
 //     Schemes: http, https
 //