fix: fetch login challenge after code submissions

jonas-jonas · ory-bot · commit 048d3150e518 · 2026-01-17T16:52:52.000Z
GitOrigin-RevId: 4ff0402e96d4b8242bbfcbae518f96c77e1fdf09
diff --git a/selfservice/strategy/code/strategy.go b/selfservice/strategy/code/strategy.go
@@ -10,8 +10,12 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/pkg/errors"
+	"github.com/ory/kratos/hydra"
+	"github.com/ory/kratos/x/nosurfx"
+
 	"github.com/samber/lo"
+
+	"github.com/pkg/errors"
 	"github.com/tidwall/gjson"
 
 	"github.com/ory/herodot"
@@ -33,7 +37,6 @@ import (
 	"github.com/ory/kratos/ui/container"
 	"github.com/ory/kratos/ui/node"
 	"github.com/ory/kratos/x"
-	"github.com/ory/kratos/x/nosurfx"
 	"github.com/ory/x/httpx"
 	"github.com/ory/x/logrusx"
 	"github.com/ory/x/otelx"
@@ -108,6 +111,8 @@ type (
 		sessiontokenexchange.PersistenceProvider
 
 		continuity.ManagementProvider
+
+		hydra.Provider
 	}
 
 	Strategy struct{ deps dependencies }
diff --git a/selfservice/strategy/code/strategy_login.go b/selfservice/strategy/code/strategy_login.go
@@ -513,6 +513,14 @@ func (s *Strategy) loginSendCode(ctx context.Context, w http.ResponseWriter, r *
 		return err
 	}
 
+	if f.OAuth2LoginChallenge != "" {
+		hlr, err := s.deps.Hydra().GetLoginRequest(ctx, string(f.OAuth2LoginChallenge))
+		if err != nil {
+			return errors.WithStack(err)
+		}
+		f.HydraLoginRequest = hlr
+	}
+
 	if x.IsJSONRequest(r) {
 		if successResponse {
 			s.deps.Writer().WriteCode(w, r, http.StatusOK, f)
diff --git a/selfservice/strategy/code/strategy_login_test.go b/selfservice/strategy/code/strategy_login_test.go
@@ -19,22 +19,26 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/tidwall/gjson"
 
+	"github.com/ory/herodot"
 	"github.com/ory/x/configx"
 
 	"github.com/ory/kratos/courier"
 	"github.com/ory/kratos/driver"
 	"github.com/ory/kratos/driver/config"
+	"github.com/ory/kratos/hydra"
 	"github.com/ory/kratos/identity"
 	"github.com/ory/kratos/internal"
 	oryClient "github.com/ory/kratos/internal/httpclient"
 	"github.com/ory/kratos/internal/testhelpers"
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/flow/login"
+	"github.com/ory/kratos/selfservice/strategy/code"
 	"github.com/ory/kratos/selfservice/strategy/idfirst"
 	"github.com/ory/kratos/selfservice/strategy/totp"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/x"
+	"github.com/ory/kratos/x/nosurfx"
 	"github.com/ory/x/contextx"
 	"github.com/ory/x/ioutilx"
 	"github.com/ory/x/snapshotx"
@@ -1495,3 +1499,68 @@ func TestFormHydration(t *testing.T) {
 		toSnapshot(t, f)
 	})
 }
+
+func TestCodeLoginWithLoginChallenge(t *testing.T) {
+	t.Parallel()
+
+	_, reg := internal.NewFastRegistryWithMocks(t,
+		configx.WithValue(config.ViperKeySelfServiceStrategyConfig+"."+string(identity.CredentialsTypeCodeAuth), map[string]interface{}{
+			"enabled":              true,
+			"passwordless_enabled": true,
+		}),
+		configx.WithValues(testhelpers.DefaultIdentitySchemaConfig("file://./stub/code.identity.schema.json")),
+	)
+	reg.SetHydra(hydra.NewFake())
+	reg.WithCSRFTokenGenerator(nosurfx.FakeCSRFTokenGenerator)
+	s := code.NewStrategy(reg)
+
+	loginChallenge := hydra.FakeValidLoginChallenge
+
+	newFlow := func(ctx context.Context, t *testing.T) (*http.Request, *login.Flow) {
+		t.Helper()
+		r := httptest.NewRequest("GET", "/self-service/login/browser", nil)
+		r = r.WithContext(ctx)
+		f, err := login.NewFlow(reg.Config(), time.Minute, nosurfx.FakeCSRFToken, r, flow.TypeBrowser)
+		require.NoError(t, err)
+		require.NoError(t, reg.LoginFlowPersister().CreateLoginFlow(ctx, f))
+		return r, f
+	}
+
+	t.Run("case=fetches login challenge on code input state", func(t *testing.T) {
+		_, f := newFlow(t.Context(), t)
+		f.OAuth2LoginChallenge = sqlxx.NullString(loginChallenge)
+		i := createIdentity(t.Context(), t, reg, false, false)
+		email := gjson.Get(i.Traits.String(), "email").String()
+
+		body := gjson.Parse(`{
+			"method": "code",
+			"identifier": "` + email + `",
+			"csrf_token": "` + f.CSRFToken + `"
+		}`)
+		r := httptest.NewRequest("POST", "/self-service/login/browser", strings.NewReader(body.Raw))
+		r.Header.Add("Content-Type", "application/json")
+
+		_, err := s.Login(httptest.NewRecorder(), r, f, nil)
+		require.ErrorIs(t, err, flow.ErrCompletedByStrategy)
+		require.NotNil(t, f.HydraLoginRequest)
+	})
+
+	t.Run("case=returns error if login challenge is invalid", func(t *testing.T) {
+		_, f := newFlow(t.Context(), t)
+		f.OAuth2LoginChallenge = sqlxx.NullString(hydra.FakeInvalidLoginChallenge)
+		i := createIdentity(t.Context(), t, reg, false, false)
+		email := gjson.Get(i.Traits.String(), "email").String()
+
+		body := gjson.Parse(`{
+			"method": "code",
+			"identifier": "` + email + `",
+			"csrf_token": "` + f.CSRFToken + `"
+		}`)
+		r := httptest.NewRequest("POST", "/self-service/login/browser", strings.NewReader(body.Raw))
+		r.Header.Add("Content-Type", "application/json")
+
+		_, err := s.Login(httptest.NewRecorder(), r, f, nil)
+		require.ErrorIs(t, err, herodot.ErrBadRequest)
+		require.Nil(t, f.HydraLoginRequest)
+	})
+}
diff --git a/selfservice/strategy/code/strategy_registration.go b/selfservice/strategy/code/strategy_registration.go
@@ -26,8 +26,10 @@ import (
 	"github.com/ory/x/urlx"
 )
 
-var _ registration.Strategy = new(Strategy)
-var _ registration.FormHydrator = new(Strategy)
+var (
+	_ registration.Strategy     = new(Strategy)
+	_ registration.FormHydrator = new(Strategy)
+)
 
 // Update Registration Flow with Code Method
 //
@@ -255,6 +257,14 @@ func (s *Strategy) registrationSendEmail(ctx context.Context, w http.ResponseWri
 		return errors.WithStack(err)
 	}
 
+	if f.OAuth2LoginChallenge != "" {
+		hlr, err := s.deps.Hydra().GetLoginRequest(ctx, string(f.OAuth2LoginChallenge))
+		if err != nil {
+			return errors.WithStack(err)
+		}
+		f.HydraLoginRequest = hlr
+	}
+
 	if x.IsJSONRequest(r) {
 		s.deps.Writer().WriteCode(w, r, http.StatusBadRequest, f)
 	} else {
diff --git a/selfservice/strategy/code/strategy_registration_test.go b/selfservice/strategy/code/strategy_registration_test.go
@@ -22,10 +22,13 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/tidwall/gjson"
 
+	"github.com/ory/herodot"
 	"github.com/ory/x/configx"
+	"github.com/ory/x/sqlxx"
 
 	"github.com/ory/kratos/driver"
 	"github.com/ory/kratos/driver/config"
+	"github.com/ory/kratos/hydra"
 	"github.com/ory/kratos/identity"
 	"github.com/ory/kratos/internal"
 	oryClient "github.com/ory/kratos/internal/httpclient"
@@ -34,6 +37,7 @@ import (
 	"github.com/ory/kratos/selfservice/flow/registration"
 	"github.com/ory/kratos/selfservice/strategy/code"
 	"github.com/ory/kratos/ui/node"
+	"github.com/ory/kratos/x/nosurfx"
 	"github.com/ory/pop/v6"
 	"github.com/ory/x/assertx"
 	"github.com/ory/x/snapshotx"
@@ -819,3 +823,69 @@ func TestPopulateRegistrationMethod(t *testing.T) {
 		})
 	})
 }
+
+func TestCodeRegistrationWithLoginChallenge(t *testing.T) {
+	t.Parallel()
+
+	_, reg := internal.NewFastRegistryWithMocks(t,
+		configx.WithValue(config.ViperKeySelfServiceStrategyConfig+"."+string(identity.CredentialsTypeCodeAuth), map[string]interface{}{
+			"enabled":              true,
+			"passwordless_enabled": true,
+		}),
+		configx.WithValues(testhelpers.DefaultIdentitySchemaConfig("file://./stub/code.identity.schema.json")),
+	)
+	reg.SetHydra(hydra.NewFake())
+	reg.WithCSRFTokenGenerator(nosurfx.FakeCSRFTokenGenerator)
+	s := code.NewStrategy(reg)
+
+	loginChallenge := hydra.FakeValidLoginChallenge
+
+	newFlow := func(ctx context.Context, t *testing.T) (*http.Request, *registration.Flow) {
+		t.Helper()
+		r := httptest.NewRequest("GET", "/self-service/registration/browser", nil)
+		r = r.WithContext(ctx)
+		f, err := registration.NewFlow(reg.Config(), time.Minute, nosurfx.FakeCSRFToken, r, flow.TypeBrowser)
+		require.NoError(t, err)
+		require.NoError(t, reg.RegistrationFlowPersister().CreateRegistrationFlow(ctx, f))
+		return r, f
+	}
+
+	t.Run("case=fetches login challenge on code input state", func(t *testing.T) {
+		_, f := newFlow(t.Context(), t)
+		f.OAuth2LoginChallenge = sqlxx.NullString(loginChallenge)
+		i := identity.NewIdentity(f.IdentitySchema.ID(t.Context(), reg.Config()))
+		email := testhelpers.RandomEmail()
+
+		body := gjson.Parse(`{
+			"method": "code",
+			"traits.email": "` + email + `",
+			"csrf_token": "` + f.CSRFToken + `"
+		}`)
+		r := httptest.NewRequest("POST", "/self-service/registration/browser", strings.NewReader(body.Raw))
+		r.Header.Add("Content-Type", "application/json")
+
+		err := s.Register(httptest.NewRecorder(), r, f, i)
+		require.ErrorIs(t, err, flow.ErrCompletedByStrategy)
+		require.NotNil(t, f.HydraLoginRequest)
+	})
+
+	t.Run("case=returns error if login challenge is invalid", func(t *testing.T) {
+		_, f := newFlow(t.Context(), t)
+		f.OAuth2LoginChallenge = sqlxx.NullString(hydra.FakeInvalidLoginChallenge)
+		i := identity.NewIdentity(f.IdentitySchema.ID(t.Context(), reg.Config()))
+
+		email := testhelpers.RandomEmail()
+
+		body := gjson.Parse(`{
+			"method": "code",
+			"traits.email": "` + email + `",
+			"csrf_token": "` + f.CSRFToken + `"
+		}`)
+		r := httptest.NewRequest("POST", "/self-service/registration/browser", strings.NewReader(body.Raw))
+		r.Header.Add("Content-Type", "application/json")
+
+		err := s.Register(httptest.NewRecorder(), r, f, i)
+		require.ErrorIs(t, err, herodot.ErrBadRequest)
+		require.Nil(t, f.HydraLoginRequest)
+	})
+}
