feat: implement blocking webhooks (#1585)

feat: implement blocking webhooks (#1585)

This feature allows webhooks to return validation errors in the registration and login flow from a webhook. This feature enables you to deny sign-ups from a specific domain, for example.

A big thank you goes out to the team at Wikia / Fandom for implementing and contributing to this feature!

Closes #1724
Closes #1483

Author: harnash

embedx/config.schema.json

@@ -208,6 +208,11 @@
                 }
               ]
             },
+            "can_interrupt": {
+              "type": "boolean",
+              "default": false,
+              "description": "If enabled allows the web hook to interrupt / abort the self-service flow. It only applies to certain flows (registration/verification/login/settings) and requires a valid response format."
+            },
             "auth": {
               "type": "object",
               "title": "Auth mechanisms",
@@ -223,6 +228,36 @@
             },
             "additionalProperties": false
           },
+          "anyOf": [
+            {
+              "not":
+              {
+                "properties": {
+                  "response": {
+                    "properties": {
+                      "ignore": {
+                        "enum": [
+                          true
+                        ]
+                      }
+                    },
+                    "required": ["ignore"]
+                  }
+                },
+                "required": ["response"]
+              }
+            },
+            {
+              "properties": {
+                "can_interrupt": {
+                  "enum": [
+                    false
+                  ]
+                }
+              },
+              "require": ["can_interrupt"]
+            }
+          ],
           "additionalProperties": false,
           "required": [
             "url",

identity/credentials.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/ory/kratos/corp"
+	"github.com/ory/kratos/ui/node"
 
 	"github.com/gofrs/uuid"
 
@@ -42,6 +43,23 @@ func (c CredentialsType) String() string {
 	return string(c)
 }
 
+func (c CredentialsType) ToUiNodeGroup() node.UiNodeGroup {
+	switch c {
+	case CredentialsTypePassword:
+		return node.PasswordGroup
+	case CredentialsTypeOIDC:
+		return node.OpenIDConnectGroup
+	case CredentialsTypeTOTP:
+		return node.TOTPGroup
+	case CredentialsTypeWebAuthn:
+		return node.WebAuthnGroup
+	case CredentialsTypeLookup:
+		return node.LookupGroup
+	default:
+		return node.DefaultGroup
+	}
+}
+
 // Please make sure to add all of these values to the test that ensures they are created during migration
 const (
 	CredentialsTypePassword CredentialsType = "password"

schema/errors.go

@@ -247,6 +247,50 @@ func NewNoWebAuthnRegistered() error {
 	})
 }
 
+func NewHookValidationError(instancePtr, message string, messages text.Messages) *ValidationError {
+	return &ValidationError{
+		ValidationError: &jsonschema.ValidationError{
+			Message:     message,
+			InstancePtr: instancePtr,
+		},
+		Messages: messages,
+	}
+}
+
+type ValidationListError struct {
+	Validations []*ValidationError
+}
+
+func (e ValidationListError) Error() string {
+	var detailError string
+	for pos, validationErr := range e.Validations {
+		detailError = detailError + fmt.Sprintf("\n(%d) %s", pos, validationErr.Error())
+	}
+	return fmt.Sprintf("%d validation errors occurred:%s", len(e.Validations), detailError)
+}
+
+func (e *ValidationListError) Add(v *ValidationError) {
+	e.Validations = append(e.Validations, v)
+}
+
+func (e ValidationListError) HasErrors() bool {
+	return len(e.Validations) > 0
+}
+
+func (e *ValidationListError) WithError(instancePtr, message string, details text.Messages) {
+	e.Validations = append(e.Validations, &ValidationError{
+		ValidationError: &jsonschema.ValidationError{
+			Message:     message,
+			InstancePtr: instancePtr,
+		},
+		Messages: details,
+	})
+}
+
+func NewValidationListError(errs []*ValidationError) error {
+	return errors.WithStack(&ValidationListError{Validations: errs})
+}
+
 func NewNoWebAuthnCredentials() error {
 	return errors.WithStack(&ValidationError{
 		ValidationError: &jsonschema.ValidationError{

schema/errors_test.go

@@ -0,0 +1,36 @@
+package schema
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/ory/jsonschema/v3"
+
+	"github.com/ory/kratos/text"
+)
+
+func TestListValidationErrors(t *testing.T) {
+	testErr := ValidationListError{}
+
+	assert.False(t, testErr.HasErrors())
+
+	testErr.WithError("#/traits/password", "error message", new(text.Messages).Add(text.NewErrorValidationDuplicateCredentials()))
+	assert.True(t, testErr.HasErrors())
+	assert.Len(t, testErr.Validations, 1)
+
+	validationError := &ValidationError{
+		ValidationError: &jsonschema.ValidationError{
+			Message:     `the provided credentials are invalid, check for spelling mistakes in your password or username, email address, or phone number`,
+			InstancePtr: "#/",
+			Context:     &ValidationErrorContextPasswordPolicyViolation{},
+		},
+		Messages: new(text.Messages).Add(text.NewErrorValidationInvalidCredentials()),
+	}
+	testErr.Add(validationError)
+	assert.Len(t, testErr.Validations, 2)
+	assert.Equal(t, "2 validation errors occurred:"+
+		"\n(0) I[#/traits/password] S[] error message"+
+		"\n(1) I[#/] S[] the provided credentials are invalid, check for spelling mistakes in your password or username, email address, or phone number",
+		testErr.Error())
+}

selfservice/flow/error.go

@@ -7,6 +7,9 @@ import (
 	"time"
 
 	"github.com/ory/kratos/driver/config"
+	"github.com/ory/kratos/identity"
+	"github.com/ory/kratos/ui/container"
+	"github.com/ory/kratos/ui/node"
 	"github.com/ory/kratos/x"
 	"github.com/ory/x/urlx"
 
@@ -90,6 +93,29 @@ func NewBrowserLocationChangeRequiredError(redirectTo string) *BrowserLocationCh
 	}
 }
 
+func HandleHookError(_ http.ResponseWriter, r *http.Request, f Flow, traits identity.Traits, group node.UiNodeGroup, flowError error, logger x.LoggingProvider, csrf x.CSRFTokenGeneratorProvider) error {
+	if f != nil {
+		if traits != nil {
+			cont, err := container.NewFromStruct("", group, traits, "traits")
+			if err != nil {
+				logger.Logger().WithError(err).Error("could not update flow UI")
+				return err
+			}
+
+			for _, n := range cont.Nodes {
+				// we only set the value and not the whole field because we want to keep types from the initial form generation
+				f.GetUI().Nodes.SetValueAttribute(n.ID(), n.Attributes.GetValue())
+			}
+		}
+
+		if f.GetType() == TypeBrowser {
+			f.GetUI().SetCSRF(csrf.GenerateCSRFToken(r))
+		}
+	}
+
+	return flowError
+}
+
 func GetFlowExpiredRedirectURL(config *config.Config, route, returnTo string) *url.URL {
 	redirectURL := urlx.AppendPaths(config.SelfPublicURL(), route)
 	if returnTo != "" {

selfservice/flow/error_test.go

@@ -0,0 +1,135 @@
+package flow
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/gofrs/uuid"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/ory/kratos/identity"
+	"github.com/ory/kratos/schema"
+	"github.com/ory/kratos/text"
+	"github.com/ory/kratos/ui/container"
+	"github.com/ory/kratos/ui/node"
+	"github.com/ory/kratos/x"
+	"github.com/ory/x/httpx"
+	"github.com/ory/x/logrusx"
+	"github.com/ory/x/otelx"
+)
+
+type testCSRFTokenGenerator struct{}
+
+func (t *testCSRFTokenGenerator) GenerateCSRFToken(_ *http.Request) string {
+	return "csrf_token_value"
+}
+
+// testFlow is a minimalistic flow implementation to satisfy interface and is used only in tests.
+type testFlow struct {
+	// ID represents the flow's unique ID.
+	//
+	// required: true
+	ID uuid.UUID `json:"id" faker:"-" db:"id" rw:"r"`
+
+	// Type represents the flow's type which can be either "api" or "browser", depending on the flow interaction.
+	//
+	// required: true
+	Type Type `json:"type" db:"type" faker:"flow_type"`
+
+	// RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+	// to forward information contained in the URL's path or query for example.
+	//
+	// required: true
+	RequestURL string `json:"request_url" db:"request_url"`
+
+	// UI contains data which must be shown in the user interface.
+	//
+	// required: true
+	UI *container.Container `json:"ui" db:"ui"`
+}
+
+func (t *testFlow) GetID() uuid.UUID {
+	return t.ID
+}
+
+func (t *testFlow) GetType() Type {
+	return t.Type
+}
+
+func (t *testFlow) GetRequestURL() string {
+	return t.RequestURL
+}
+
+func (t *testFlow) AppendTo(url *url.URL) *url.URL {
+	return AppendFlowTo(url, t.ID)
+}
+
+func (t *testFlow) GetUI() *container.Container {
+	return t.UI
+}
+
+func newTestFlow(r *http.Request, flowType Type) Flow {
+	id := x.NewUUID()
+	requestURL := x.RequestURL(r).String()
+	ui := &container.Container{
+		Method: "POST",
+		Action: "/test",
+	}
+
+	ui.Nodes.Append(node.NewInputField("traits.username", nil, node.PasswordGroup, node.InputAttributeTypeText, node.WithRequiredInputAttribute))
+	ui.Nodes.Append(node.NewInputField("traits.password", nil, node.PasswordGroup, node.InputAttributeTypePassword, node.WithRequiredInputAttribute))
+
+	return &testFlow{
+		ID:         id,
+		UI:         ui,
+		RequestURL: requestURL,
+		Type:       flowType,
+	}
+}
+
+func prepareTraits(username, password string) identity.Traits {
+	payload := struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}{username, password}
+
+	data, _ := json.Marshal(payload)
+	return data
+}
+
+func TestHandleHookError(t *testing.T) {
+	r := &http.Request{URL: &url.URL{RawQuery: ""}}
+	logger := logrusx.New("kratos", "test", logrusx.ForceLevel(logrus.FatalLevel))
+	l := &x.SimpleLoggerWithClient{L: logger, C: httpx.NewResilientClient(), T: otelx.NewNoop(logger, &otelx.Config{ServiceName: "kratos"})}
+	csrf := testCSRFTokenGenerator{}
+	f := newTestFlow(r, TypeBrowser)
+	tr := prepareTraits("foo", "bar")
+
+	t.Run("case=fill_in_traits", func(t *testing.T) {
+		ve := schema.NewValidationListError([]*schema.ValidationError{schema.NewHookValidationError("traits.username", "invalid username", text.Messages{})})
+
+		err := HandleHookError(nil, r, f, tr, node.PasswordGroup, ve, l, &csrf)
+		assert.ErrorIs(t, err, ve)
+		if assert.NotEmpty(t, f.GetUI()) {
+			ui := f.GetUI()
+			assert.Len(t, ui.Nodes, 3)
+			assert.ElementsMatch(t, ui.Nodes,
+				node.Nodes{
+					&node.Node{Type: node.Input, Group: node.PasswordGroup, Attributes: &node.InputAttributes{Name: "traits.username", Type: node.InputAttributeTypeText, FieldValue: "foo", Required: true}, Meta: &node.Meta{}},
+					&node.Node{Type: node.Input, Group: node.PasswordGroup, Attributes: &node.InputAttributes{Name: "traits.password", Type: node.InputAttributeTypePassword, FieldValue: "bar", Required: true}, Meta: &node.Meta{}},
+					&node.Node{Type: node.Input, Group: node.DefaultGroup, Attributes: &node.InputAttributes{Name: "csrf_token", Type: node.InputAttributeTypeHidden, FieldValue: "csrf_token_value", Required: true}},
+				})
+		}
+	})
+
+	t.Run("case=unmarshal_fail", func(t *testing.T) {
+		ve := schema.NewValidationListError([]*schema.ValidationError{schema.NewHookValidationError("traits.username", "invalid username", text.Messages{})})
+
+		err := HandleHookError(nil, r, f, []byte("garbage"), node.PasswordGroup, ve, l, &csrf)
+		var jsonErr *json.SyntaxError
+		assert.ErrorAs(t, err, &jsonErr)
+	})
+}

selfservice/flow/flow.go

@@ -6,6 +6,8 @@ import (
 
 	"github.com/pkg/errors"
 
+	"github.com/ory/kratos/ui/container"
+
 	"github.com/ory/herodot"
 	"github.com/ory/kratos/x"
 
@@ -31,4 +33,5 @@ type Flow interface {
 	GetType() Type
 	GetRequestURL() string
 	AppendTo(*url.URL) *url.URL
+	GetUI() *container.Container
 }

selfservice/flow/login/flow.go

@@ -210,3 +210,7 @@ func (f *Flow) AfterSave(*pop.Connection) error {
 	f.SetReturnTo()
 	return nil
 }
+
+func (f *Flow) GetUI() *container.Container {
+	return f.UI
+}