kratos New verification flow returned from complete on expired flow is not the same type

New verification flow returned from complete on expired flow is not the same type

Open WoodyWoodsta opened this issue 1 year ago • 0 comments

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

N/A

Describe the bug

When you try to complete a native verification flow which has expired, you get the expected 303 redirect to a new verification flow. However, the new flow that is created is of type browser.

This causes a CSRF error when you try and use the flow.

Reproducing the bug

Create a native verification flow
Attempt to complete it after the lifespan of the verification flow
Observe a new browser verification flow in return

Relevant log output

No response

Relevant configuration

No response

Version

1.0.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

It would also be quite nice if expired native flows behave the same. An expired native registration flow returns a 410, for example, which is more suited to a native environment.

Feb 13 '24 08:02 WoodyWoodsta

kratos kratos copied to clipboard

New verification flow returned from complete on expired flow is not the same type

Preflight checklist

Ory Network Project

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

kratos
kratos copied to clipboard