Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return REST error when fetching expired login/registration/profile request #235

Closed
aeneasr opened this issue Feb 6, 2020 · 2 comments · Fixed by #289
Closed

Return REST error when fetching expired login/registration/profile request #235

aeneasr opened this issue Feb 6, 2020 · 2 comments · Fixed by #289
Labels
blocking Blocks milestones or other issues or pulls. bug Something is not working.
Milestone
v0.2.0-alpha.1

Comments

@aeneasr
Copy link
Member

aeneasr commented Feb 6, 2020

Describe the bug

Currently, expired login/registration/profile requests return the full payload. This could be used in brute-force or other guessing attacks, which could lead to leaking of PII.

Instead, expired requests should just return an error (e.g. HTTP GONE)
@aeneasr aeneasr added bug Something is not working. security blocking Blocks milestones or other issues or pulls. labels Feb 6, 2020
@aeneasr aeneasr added this to the v0.1.1-alpha.1 milestone Feb 6, 2020
aeneasr added a commit that referenced this issue Mar 15, 2020
@aeneasr
feat: Return 410 when selfservice requests expire
dd3d5d6 
Closes #235
@aeneasr aeneasr mentioned this issue Mar 15, 2020
Merged
aeneasr added a commit that referenced this issue Mar 15, 2020
@aeneasr
feat: return 410 when selfservice requests expire (#289)
b414607 
Closes #235
@akkie
Copy link

akkie commented Sep 3, 2022

@aeneasr Is there a reason why a response for a expired flow is returned in the following form, instead of using the same structure as documented in: https://www.ory.sh/docs/kratos/concepts/ui-user-interface#ui-error-codes

{
  code: 410,
  status: 'Gone',
  reason: 'The settings flow has expired. Redirect the user to the settings flow init endpoint to initialize a new settings flow.',
  details: {
    redirect_to: 'https://my.app/kratos/self-service/settings/browser',
    return_to: ''
  },
  message: 'The requested resource is no longer available because it has expired or is otherwise invalid.'
}

Could this not be unique?

@aeneasr
Copy link
Member Author

aeneasr commented Nov 1, 2022

True, we will need to streamline the different error states!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocking Blocks milestones or other issues or pulls. bug Something is not working.
Projects
None yet
Milestone
v0.2.0-alpha.1
Development

Successfully merging a pull request may close this issue.

feat: Return 410 when selfservice requests expire ory/kratos
2 participants
@akkie @aeneasr