u

ory · May 8, 2023 · f0d39f2 · f0d39f2
1 parent 5df6e66
commit f0d39f2
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 27 deletions.
diff --git a/selfservice/flow/settings/handler_test.go b/selfservice/flow/settings/handler_test.go
@@ -357,39 +357,41 @@ func TestHandler(t *testing.T) {
 				assertx.EqualAsJSON(t, session.NewErrAALNotSatisfied(publicTS.URL+"/self-service/login/browser?aal=aal2"), json.RawMessage(body))
 			})
 
-			t.Run("description=preserve return_to if identity has aal2 but session has aal1", func(t *testing.T) {
-				t.Cleanup(func() {
-					conf.MustSet(ctx, config.ViperKeySelfServiceSettingsRequiredAAL, config.HighestAvailableAAL)
-				})
-				conf.MustSet(ctx, config.ViperKeySelfServiceSettingsRequiredAAL, "aal1")
-				conf.MustSet(ctx, config.ViperKeyURLsAllowedReturnToDomains, []string{"https://ory.sh"})
+		})
 
-				returnTo := "?return_to=https://ory.sh"
-				req, err := http.NewRequest("GET", publicTS.URL+settings.RouteInitBrowserFlow+returnTo, nil)
-				require.NoError(t, err)
+		t.Run("description=preserve return_to if identity has aal2 but session has aal1", func(t *testing.T) {
+			t.Cleanup(func() {
+				conf.MustSet(ctx, config.ViperKeySelfServiceSettingsRequiredAAL, config.HighestAvailableAAL)
+			})
+			conf.MustSet(ctx, config.ViperKeySelfServiceSettingsRequiredAAL, "aal1")
+			conf.MustSet(ctx, config.ViperKeyURLsAllowedReturnToDomains, []string{"https://ory.sh"})
 
-				res, err := aal2Identity.Do(req)
-				require.NoError(t, err)
+			returnTo := "?return_to=https://ory.sh"
+			req, err := http.NewRequest("GET", publicTS.URL+settings.RouteInitBrowserFlow+returnTo, nil)
+			require.NoError(t, err)
 
-				require.Equal(t, http.StatusOK, res.StatusCode)
+			res, err := aal2Identity.Do(req)
+			require.NoError(t, err)
 
-				body := ioutilx.MustReadAll(res.Body)
-				require.NoError(t, res.Body.Close())
+			require.Equal(t, http.StatusOK, res.StatusCode)
 
-				id := gjson.GetBytes(body, "id").String()
+			body := ioutilx.MustReadAll(res.Body)
+			require.NoError(t, res.Body.Close())
 
-				conf.MustSet(ctx, config.ViperKeySelfServiceSettingsRequiredAAL, config.HighestAvailableAAL)
-				res, err = aal2Identity.Get(publicTS.URL + settings.RouteGetFlow + "?id=" + id)
-				require.NoError(t, err)
+			id := gjson.GetBytes(body, "id").String()
 
-				body = ioutilx.MustReadAll(res.Body)
-				require.NoError(t, res.Body.Close())
+			conf.MustSet(ctx, config.ViperKeySelfServiceSettingsRequiredAAL, config.HighestAvailableAAL)
+			res, err = aal2Identity.Get(publicTS.URL + settings.RouteGetFlow + "?id=" + id)
+			require.NoError(t, err)
+
+			body = ioutilx.MustReadAll(res.Body)
+			require.NoError(t, res.Body.Close())
 
-				require.EqualValues(t, http.StatusForbidden, res.StatusCode)
+			require.EqualValues(t, http.StatusForbidden, res.StatusCode)
 
-				assertx.EqualAsJSON(t, session.NewErrAALNotSatisfied(publicTS.URL+"/self-service/login/browser?aal=aal2&return_to="+url.QueryEscape("https://ory.sh")), json.RawMessage(body))
-			})
+			assertx.EqualAsJSON(t, session.NewErrAALNotSatisfied(publicTS.URL+"/self-service/login/browser?aal=aal2&return_to="+url.QueryEscape("https://ory.sh")), json.RawMessage(body))
 		})
+
 	})
 
 	t.Run("endpoint=submit", func(t *testing.T) {

diff --git a/selfservice/strategy/code/strategy_recovery.go b/selfservice/strategy/code/strategy_recovery.go
@@ -394,6 +394,12 @@ func (s *Strategy) recoveryIssueSession(w http.ResponseWriter, r *http.Request,
 		return s.retryRecoveryFlowWithError(w, r, flow.TypeBrowser, err)
 	}
 
+	if u, err := url.Parse(sf.RequestURL); err != nil {
+		return s.retryRecoveryFlowWithError(w, r, flow.TypeBrowser, err)
+	} else {
+		sf.ReturnTo = u.Query().Get("return_to")
+	}
+
 	if err := s.deps.RecoveryExecutor().PostRecoveryHook(w, r, f, sess); err != nil {
 		return s.retryRecoveryFlowWithError(w, r, f.Type, err)
 	}

diff --git a/test/e2e/cypress/integration/profiles/recovery/return-to/success.spec.ts b/test/e2e/cypress/integration/profiles/recovery/return-to/success.spec.ts
@@ -1,6 +1,7 @@
 // Copyright © 2023 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
+import { Identity } from "@ory/kratos-client"
 import { authenticator } from "otplib"
 import { gen, website } from "../../../../helpers"
 import { appPrefix, assertRecoveryAddress, gen } from "../../../../helpers"
@@ -30,19 +31,18 @@ context("Recovery with `return_to`", () => {
         cy.proxy(app)
       })
 
-      let identity
+      let identity: any
 
       beforeEach(() => {
         cy.deleteMail()
         cy.longRecoveryLifespan()
-        cy.longLinkLifespan()
         cy.disableVerification()
         cy.enableRecovery()
         cy.useRecoveryStrategy("code")
         cy.notifyUnknownRecipients("recovery", false)
         cy.clearAllCookies()
         cy.longPrivilegedSessionTime()
-        cy.useLaxAal()
+        cy.requireStrictAal()
         identity = gen.identityWithWebsite()
         cy.registerApi(identity)
       })
@@ -91,7 +91,7 @@ context("Recovery with `return_to`", () => {
         cy.visit(settings)
 
         // enable mfa for this account
-        let secret
+        let secret: string
         cy.get('[data-testid="node/text/totp_secret_key/text"]').then(($e) => {
           secret = $e.text().trim()
         })
@@ -105,6 +105,7 @@ context("Recovery with `return_to`", () => {
           expectMethods: ["password", "totp"],
         })
 
+        cy.logout()
         cy.clearAllCookies()
 
         cy.visit(recovery + "?return_to=https://www.ory.sh/")