fix: admin recovery CSRF & duplicate form elements #2846

jonas-jonas · 2022-10-27T18:33:51Z

Another quick fix for issues I noticed during example making

Related issue(s)

#2845

Checklist

I have read the contributing guidelines.
I have referenced an issue containing the design document if my change
introduces a new feature.
I am following the
contributing code guidelines.
I have read the security policy.
I confirm that this pull request does not address a security
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
I have added tests that prove my fix is effective or that my feature
works.
I have added or changed the documentation.

Further Comments

jonas-jonas · 2022-10-27T18:36:04Z

selfservice/strategy/code/strategy_recovery_test.go

@@ -134,12 +134,9 @@ func TestAdminStrategy(t *testing.T) {

 		action := gjson.GetBytes(body, "ui.action").String()
 		require.NotEmpty(t, action)
-		csrfToken := gjson.GetBytes(body, "ui.nodes.#(attributes.name==csrf_token).attributes.value").String()


These assertions are nonsensical in admin flows, as we don't (read can't) enforce anti-CSRF measures on admin flows. So I removed them.

These worked in the first place because the test setup uses the same client for admin actions as for the self-service actions.

codecov · 2022-10-27T18:58:43Z

Codecov Report

Merging #2846 (2aa37d5) into master (59588d2) will decrease coverage by 0.00%.
The diff coverage is 83.33%.

❗ Current head 2aa37d5 differs from pull request most recent head 141781d. Consider uploading reports for the commit 141781d to get more accurate results

@@            Coverage Diff             @@
##           master    #2846      +/-   ##
==========================================
- Coverage   75.96%   75.95%   -0.01%     
==========================================
  Files         304      304              
  Lines       18168    18173       +5     
==========================================
+ Hits        13802    13804       +2     
- Misses       3307     3310       +3     
  Partials     1059     1059

Impacted Files	Coverage Δ
selfservice/strategy/code/strategy_recovery.go	`70.19% <83.33%> (+0.50%)`	⬆️
courier/courier_dispatcher.go	`54.23% <0.00%> (-8.48%)`	⬇️
persistence/sql/persister_courier.go	`82.82% <0.00%> (-2.03%)`	⬇️
session/test/persistence.go	`100.00% <0.00%> (+0.98%)`	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

fix: admin recovery CSRF & duplicate form elements

141781d

jonas-jonas requested review from aeneasr and zepatrik as code owners October 27, 2022 18:33

jonas-jonas commented Oct 27, 2022

View reviewed changes

aeneasr merged commit de80b7f into master Oct 30, 2022

aeneasr deleted the fix/recoveryFormIssues2 branch October 30, 2022 11:42

jonas-jonas mentioned this pull request Oct 31, 2022

Duplicate form fields & CSRF issues in admin recovery #2845

Closed

6 tasks

peturgeorgievv pushed a commit to senteca/kratos-fork that referenced this pull request Jun 30, 2023

fix: admin recovery CSRF & duplicate form elements (ory#2846)

206bf38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: admin recovery CSRF & duplicate form elements #2846

fix: admin recovery CSRF & duplicate form elements #2846

jonas-jonas commented Oct 27, 2022 •

edited

jonas-jonas Oct 27, 2022

codecov bot commented Oct 27, 2022

fix: admin recovery CSRF & duplicate form elements #2846

fix: admin recovery CSRF & duplicate form elements #2846

Conversation

jonas-jonas commented Oct 27, 2022 • edited

Related issue(s)

Checklist

Further Comments

jonas-jonas Oct 27, 2022

Choose a reason for hiding this comment

codecov bot commented Oct 27, 2022

Codecov Report

jonas-jonas commented Oct 27, 2022 •

edited