/admin/oauth2/auth/requests/login returns 200 instead of 410 for a used login_challenge
deepakgupta-remitly opened this issue · 1 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Currently, I am using ory version 2.1.1 and /admin/oauth2/auth/requests/login API returns 410 with redirect url in redirect_to parameter for a used login_challenge.
But in version 2.2.0, /oauth2/auth/requests/login API is returning 200 for a used login_challenge. This is leading to a breaking flow at the end as login_challenge is already used.
I don't see any mention of this in the release notes, so reporting it as a bug.
Reproducing the bug
hydra serve all
curl -X GET http://example.com:80/oauth2/auth\?client_id\=client-1
=> this gives login challenge, say foo
Get login challenge
curl -X GET http://example.com:9080/admin/oauth2/auth/requests/login\?login_challenge\=foo
Accept login
curl -X PUT http://example.com:9080/admin/oauth2/auth/requests/login/accept\?login_challenge\=foo -d '{"subject": "subject", "remember": true, "remember_for": 1}'
=> this gives redirect url in redirect_to
Once redirect url is visited, login challenge is used.
Get login challenge again
curl -X GET http://example.com:9080/admin/oauth2/auth/requests/login\?login_challenge\=foo
In version 2.1.1, this get login return 410 with redirect_to url.
But in version 2.2.0, it is returning 200.
Relevant log output
No response
Relevant configuration
No response
Version
2.2.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
This is in fact a consequence of changes which
landed in Hydra 2.2. Is this causing real world issues? The full flow still cannot be completed twice.