-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return REST error when fetching expired login/registration/profile request #235
Milestone
Comments
aeneasr
added
bug
Something is not working.
security
blocking
Blocks milestones or other issues or pulls.
labels
Feb 6, 2020
aeneasr
added a commit
that referenced
this issue
Mar 15, 2020
aeneasr
added a commit
that referenced
this issue
Mar 15, 2020
@aeneasr Is there a reason why a response for a expired flow is returned in the following form, instead of using the same structure as documented in: https://www.ory.sh/docs/kratos/concepts/ui-user-interface#ui-error-codes
Could this not be unique? |
True, we will need to streamline the different error states! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Currently, expired login/registration/profile requests return the full payload. This could be used in brute-force or other guessing attacks, which could lead to leaking of PII.
Instead, expired requests should just return an error (e.g. HTTP GONE)
The text was updated successfully, but these errors were encountered: