fix: redirect to user details page when session is valid (#769)

natalian98 · web-flow · commit 6f39b2b6b21e · 2026-02-04T15:47:52.000+01:00
closes #768
diff --git a/internal/misc/http/helpers.go b/internal/misc/http/helpers.go
@@ -22,6 +22,27 @@ func CookiesToString(cookies []*http.Cookie) string {
 	return strings.Join(ret, "; ")
 }
 
+func FilterCookies(cookies []*http.Cookie, exclude ...string) []*http.Cookie {
+	if len(exclude) == 0 {
+		return cookies
+	}
+
+	ret := make([]*http.Cookie, 0)
+
+	diff := make(map[any]bool)
+	for _, deniedCookieName := range exclude {
+		diff[deniedCookieName] = true
+	}
+
+	for _, cookie := range cookies {
+		if _, ok := diff[cookie.Name]; !ok {
+			ret = append(ret, cookie)
+		}
+	}
+
+	return ret
+}
+
 func GetUserClaims(i kratos_client.Identity, cr hydra_client.OAuth2ConsentRequest) map[string]interface{} {
 	ret := make(map[string]interface{})
 	// Export the user claims and filter them based on the requested scopes
diff --git a/pkg/kratos/handlers.go b/pkg/kratos/handlers.go
@@ -5,12 +5,14 @@ import (
 	"crypto/md5"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strconv"
 	"time"
 
+	httpHelpers "github.com/canonical/identity-platform-login-ui/internal/misc/http"
 	"github.com/go-chi/chi/v5"
 	client "github.com/ory/kratos-client-go/v25"
 
@@ -25,6 +27,7 @@ const RegenerateBackupCodesError = "regenerate_backup_codes"
 const SESSION_REFRESH_REQUIRED = "session_refresh_required"
 const KRATOS_SESSION_COOKIE_NAME = "ory_kratos_session"
 const LOGIN_UI_STATE_COOKIE = "login_ui_state"
+const SECURITY_CSRF_VIOLATION_ERROR = "security_csrf_violation"
 
 type API struct {
 	mfaEnabled                    bool
@@ -38,6 +41,12 @@ type API struct {
 	logger logging.LoggerInterface
 }
 
+type KratosErrorResponse struct {
+	Error             *client.GenericError `json:"error,omitempty"`
+	RedirectBrowserTo string               `json:"redirect_browser_to,omitempty"`
+	RedirectTo        string               `json:"redirect_to,omitempty"`
+}
+
 func (a *API) RegisterEndpoints(mux *chi.Mux) {
 	mux.Post("/api/kratos/self-service/login", a.handleUpdateFlow)
 	mux.Post("/api/kratos/self-service/login/id-first", a.handleUpdateIdentifierFirstFlow)
@@ -138,10 +147,17 @@ func (a *API) handleCreateFlow(w http.ResponseWriter, r *http.Request) {
 			a.cookieManager.ClearStateCookie(w)
 		}
 	} else {
-		response, cookies, err = a.handleCreateFlowNewSession(r, aal, returnTo, loginChallenge, refresh)
+		response, cookies, err = a.handleCreateFlowNewSession(r, aal, returnTo, loginChallenge, refresh, session)
 	}
 
 	if err != nil {
+		// Propagate the KratosErrorResponse so frontend can handle it
+		if kratosError, ok := parseGenericError(err); ok {
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(kratosError)
+			return
+		}
+
 		a.logger.Errorf(err.Error())
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -167,15 +183,17 @@ func (a *API) handleCreateFlow(w http.ResponseWriter, r *http.Request) {
 	_ = json.NewEncoder(w).Encode(response)
 }
 
-func (a *API) handleCreateFlowNewSession(r *http.Request, aal, returnTo, loginChallenge string, refresh bool) (*client.LoginFlow, []*http.Cookie, error) {
+func (a *API) handleCreateFlowNewSession(r *http.Request, aal, returnTo, loginChallenge string, refresh bool, session *client.Session) (*client.LoginFlow, []*http.Cookie, error) {
 	// redirect user to this endpoint with the login_challenge after login
 	// see https://github.com/ory/kratos/issues/3052
 
 	cookies := r.Cookies()
 
-	// clear cookies if not aal2 and not a refresh request
-	if !refresh && aal != "aal2" {
-		cookies = filterCookies(cookies, KRATOS_SESSION_COOKIE_NAME)
+	// clear cookies if not a refresh request, not aal2, and either:
+	// - it's a hydra login (with loginChallenge)
+	// - it's a kratos local login without a session
+	if !refresh && aal != "aal2" && (session == nil || loginChallenge != "") {
+		cookies = httpHelpers.FilterCookies(cookies, KRATOS_SESSION_COOKIE_NAME)
 	}
 
 	flow, cookies, err := a.service.CreateBrowserLoginFlow(
@@ -187,7 +205,7 @@ func (a *API) handleCreateFlowNewSession(r *http.Request, aal, returnTo, loginCh
 		cookies,
 	)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create login flow, err: %v", err)
+		return nil, nil, fmt.Errorf("failed to create login flow, err: %w", err)
 	}
 
 	flow, err = a.service.FilterFlowProviderList(r.Context(), flow)
@@ -201,12 +219,26 @@ func (a *API) handleCreateFlowNewSession(r *http.Request, aal, returnTo, loginCh
 func (a *API) handleCreateFlowWithSession(r *http.Request, session *client.Session, loginChallenge string) (*BrowserLocationChangeRequired, []*http.Cookie, error) {
 	response, cookies, err := a.service.AcceptLoginRequest(r.Context(), session, loginChallenge)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to accept login request: %v", err)
+		return nil, nil, fmt.Errorf("failed to accept login request: %w", err)
 	}
 
 	return response, cookies, nil
 }
 
+func parseGenericError(err error) (*KratosErrorResponse, bool) {
+	var apiErr *client.GenericOpenAPIError
+	if !errors.As(err, &apiErr) {
+		return nil, false
+	}
+
+	var resp KratosErrorResponse
+	if err := json.Unmarshal(apiErr.Body(), &resp); err != nil {
+		return nil, false
+	}
+
+	return &resp, true
+}
+
 func (a *API) returnToUrl(loginChallenge string) (string, error) {
 	returnTo, err := url.JoinPath(a.baseURL, "/ui/login")
 	if err != nil {
@@ -244,6 +276,15 @@ func (a *API) handleGetLoginFlow(w http.ResponseWriter, r *http.Request) {
 
 	flow, cookies, err := a.service.GetLoginFlow(r.Context(), flowId, r.Cookies())
 	if err != nil {
+		if kratosError, ok := parseGenericError(err); ok {
+			if kratosError.Error.GetId() == SECURITY_CSRF_VIOLATION_ERROR {
+				a.deleteKratosSession(w)
+			}
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(kratosError)
+			return
+		}
+
 		a.logger.Errorf("Error when getting login flow: %v\n", err)
 		http.Error(w, "Failed to get login flow", http.StatusInternalServerError)
 		return
@@ -298,12 +339,12 @@ func (a *API) handleGetRegistrationFlow(w http.ResponseWriter, r *http.Request)
 func (a *API) handleUpdateRegistrationFlow(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 	flowId := q.Get("flow")
-    if flowId == "" {
-        a.logger.Errorf("ID parameter not present")
-        w.WriteHeader(http.StatusBadRequest)
-        _ = json.NewEncoder(w).Encode("ID parameter not present")
-        return
-    }
+	if flowId == "" {
+		a.logger.Errorf("ID parameter not present")
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode("ID parameter not present")
+		return
+	}
 
 	body, err := a.service.ParseRegistrationFlowMethodBody(r)
 	if err != nil {
@@ -1056,25 +1097,11 @@ func NewAPI(
 }
 
 func setCookies(w http.ResponseWriter, cookies []*http.Cookie, exclude ...string) {
-	for _, c := range filterCookies(cookies, exclude...) {
+	for _, c := range httpHelpers.FilterCookies(cookies, exclude...) {
 		http.SetCookie(w, c)
 	}
 }
 
-func filterCookies(cookies []*http.Cookie, exclude ...string) []*http.Cookie {
-	ret := []*http.Cookie{}
-l1:
-	for _, c := range cookies {
-		for _, n := range exclude {
-			if c.Name == n {
-				continue l1
-			}
-		}
-		ret = append(ret, c)
-	}
-	return ret
-}
-
 func hash(plain string) string {
 	h := md5.New()
 	h.Write([]byte(plain))
diff --git a/pkg/kratos/service.go b/pkg/kratos/service.go
@@ -1112,6 +1112,8 @@ func (s *Service) ParseIdentifierFirstLoginFlowMethodBody(r *http.Request) (*kCl
 	if err := parseBody(r.Body, &body); err != nil {
 		return nil, cookies, err
 	}
+
+	cookies = httpHelpers.FilterCookies(cookies, KRATOS_SESSION_COOKIE_NAME)
 	return &body, cookies, nil
 }
 
@@ -1190,13 +1192,7 @@ func (s *Service) ParseLoginFlowMethodBody(r *http.Request) (*kClient.UpdateLogi
 
 	// Remove session cookie if this is a 1FA method
 	if s.is1FAMethod(methodPayload.Method) {
-		filtered := make([]*http.Cookie, 0)
-		for _, c := range cookies {
-			if c.Name != KRATOS_SESSION_COOKIE_NAME {
-				filtered = append(filtered, c)
-			}
-		}
-		cookies = filtered
+		cookies = httpHelpers.FilterCookies(cookies, KRATOS_SESSION_COOKIE_NAME)
 	}
 
 	return &ret, cookies, nil
diff --git a/ui/tests/reset-password.spec.ts b/ui/tests/reset-password.spec.ts
@@ -7,7 +7,7 @@ import { confirmMailCode, enterNewPassword } from "./helpers/password";
 
 const USER_PASSWORD_NEW = "abcABC123!!!";
 
-test("reset password from oidc app", async ({ context, page }) => {
+test("reset password from oidc app", async ({ browser, context, page }) => {
   resetIdentities();
   await startNewAuthFlow(page);
 
@@ -24,13 +24,17 @@ test("reset password from oidc app", async ({ context, page }) => {
   await expect(page.getByText("Account setup complete")).toBeVisible();
   await finishAuthFlow(page);
 
-  await startNewAuthFlow(page);
+  // Start login in a new context as user is already authenticated within the current context
+  const newContext = await browser.newContext();
+  const newPage = await newContext.newPage();
 
-  await userPassLogin(page, USER_EMAIL, USER_PASSWORD);
-  await expect(page.getByText("Incorrect username or password")).toBeVisible();
+  await startNewAuthFlow(newPage);
 
-  await userPassLogin(page, USER_EMAIL, USER_PASSWORD_NEW);
-  await enterTotpCode(page, totpSetupKey);
+  await userPassLogin(newPage, USER_EMAIL, USER_PASSWORD);
+  await expect(newPage.getByText("Incorrect username or password")).toBeVisible();
 
-  await finishAuthFlow(page);
+  await userPassLogin(newPage, USER_EMAIL, USER_PASSWORD_NEW);
+  await enterTotpCode(newPage, totpSetupKey);
+
+  await finishAuthFlow(newPage);
 });
diff --git a/ui/tests/use-backup-codes.spec.ts b/ui/tests/use-backup-codes.spec.ts
@@ -5,7 +5,7 @@ import { resetIdentities } from "./helpers/kratosIdentities";
 import { userPassLogin } from "./helpers/login";
 import { clickButton, verifyBackupCode } from "./helpers/backupCode";
 
-test("backup recovery code setup and usage", async ({ context, page }) => {
+test("backup recovery code setup and usage", async ({ browser, context, page }) => {
   resetIdentities();
   await startNewAuthFlow(page);
   await userPassLogin(page);
@@ -25,11 +25,15 @@ test("backup recovery code setup and usage", async ({ context, page }) => {
 
   await expect(page.getByText("Account setup complete")).toBeVisible();
 
-  await startNewAuthFlow(page);
-  await userPassLogin(page);
+  // Start login in a new context as user is already authenticated within the current context
+  const newContext = await browser.newContext();
+  const newPage = await newContext.newPage();
 
-  await clickButton(page, "Use backup code instead");
-  await verifyBackupCode(page, backupCode);
+  await startNewAuthFlow(newPage);
+  await userPassLogin(newPage);
 
-  await finishAuthFlow(page);
+  await clickButton(newPage, "Use backup code instead");
+  await verifyBackupCode(newPage, backupCode);
+
+  await finishAuthFlow(newPage);
 });
diff --git a/ui/util/handleFlowError.ts b/ui/util/handleFlowError.ts
@@ -33,7 +33,7 @@ export const handleFlowError =
         return;
       case "session_already_available":
         // User is already signed in, let's redirect them to settings
-        window.location.href = "./reset_password";
+        window.location.href = "./manage_details";
         return;
       case "session_refresh_required":
         // We need to re-authenticate to perform this action
