From 9300903674f6296b2568c616fd4a3d198024ed89 Mon Sep 17 00:00:00 2001 From: Douglas Palmer Date: Thu, 4 Jul 2024 09:56:10 -0700 Subject: [PATCH] page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt Closes #25440 Signed-off-by: Douglas Palmer --- .../services/resources/SessionCodeChecks.java | 3 ++- .../testsuite/forms/ResetPasswordTest.java | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java b/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java index b606ac8afd..e5d251f9a8 100644 --- a/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java +++ b/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java @@ -53,6 +53,7 @@ import org.keycloak.services.messages.Messages; import org.keycloak.services.util.BrowserHistoryHelper; import org.keycloak.services.util.AuthenticationFlowURLHelper; import org.keycloak.sessions.AuthenticationSessionModel; +import org.keycloak.sessions.CommonClientSessionModel; import org.keycloak.sessions.RootAuthenticationSessionModel; @@ -280,7 +281,7 @@ public class SessionCodeChecks { } } - if (execution == null || execution.equals(lastExecFromSession)) { + if (execution == null || execution.equals(lastExecFromSession) || CommonClientSessionModel.ExecutionStatus.CHALLENGED.equals(authSession.getExecutionStatus().get(execution))) { // Allow refresh of previous page clientCode = new ClientSessionCode<>(session, realm, authSession); actionRequest = false; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java index eab356585c..b11b9711bd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java @@ -376,6 +376,16 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { resetPassword("login@test.com"); } + @Test + public void resetPasswordBackButton() throws IOException, MessagingException { + loginPage.open(); + loginPage.login("login@test.com", "wrongpassword"); + loginPage.resetPassword(); + resetPasswordPage.assertCurrent(); + driver.navigate().back(); + loginPage.assertCurrent(); + } + private String resetPassword(String username) throws IOException, MessagingException { return resetPassword(username, "resetPassword"); } @@ -463,7 +473,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { loginPage.resetPassword(); resetPasswordPage.assertCurrent(); - + resetPasswordPage.changePassword(username); loginPage.assertCurrent(); @@ -1059,12 +1069,12 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest { @Test public void resetPasswordBeforeUserIsDisabled() throws IOException, MessagingException { initiateResetPasswordFromResetPasswordPage("login-test"); - + assertEquals(1, greenMail.getReceivedMessages().length); MimeMessage message = greenMail.getReceivedMessages()[0]; String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message); events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).session((String)null).user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent(); - + UserRepresentation user = findUser("login-test"); user.setEnabled(false); updateUser(user);