feat: remove flow cookie

[hperl]

This patch removes the flow cookie. All information is already tracked in the request query parameters as part of the {login|consent}_{challenge|verifier}.

Related issue(s)

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[codecov]

Codecov Report

Merging #3639 (1a65ee3) into master (a0c06ec) will increase coverage by 0.06%.
The diff coverage is 97.43%.

❗ Current head 1a65ee3 differs from pull request most recent head 606c405. Consider uploading reports for the commit 606c405 to get more accurate results

@@            Coverage Diff             @@
##           master    #3639      +/-   ##
==========================================
+ Coverage   76.10%   76.17%   +0.06%     
==========================================
  Files         132      132              
  Lines       10076    10030      -46     
==========================================
- Hits         7668     7640      -28     
+ Misses       1881     1874       -7     
+ Partials      527      516      -11     

Files	Coverage Δ
consent/manager.go	100.00% <ø> (ø)
consent/manager_test_helpers.go	98.11% <100.00%> (-0.01%)	⬇️
oauth2/flowctx/cookies.go	100.00% <ø> (ø)
oauth2/flowctx/encoding.go	76.00% <ø> (-4.33%)	⬇️
persistence/sql/persister_consent.go	84.96% <100.00%> (+0.66%)	⬆️
consent/strategy_default.go	70.47% <92.30%> (+1.56%)	⬆️

... and 1 file with indirect coverage changes

[alnr]

It's beautiful.

[aeneasr]

Should this assertion not still be here? The flow was handled so it should be true right?

[hperl]

Previously we persisted the flow in the database, so VerifyAndInvalidateLoginRequest set WasHandled to true in the DB. Since we now store the flow in the login verifier, there is no place to store information about whether the flow was already handled.

This is already true even without this patch.

If we want double-submit protection, we should build a separate NonceService (new creates a new nonce, use uses a nonce once) to make sure that the verifiers are only used once.

[aeneasr]

I see - do we protect against double submit for the consent verifier? Or can I generate as many authorization codes as I want with the same consent verifier?

Can I log in as often as I want to using the same login verifier?

[hperl]

You can log in as often as you want, but the double-submit will be caught at the consent verification step.

I added a test case for consent verifier double submit here: f482f4e

[aeneasr]

Why is it ok to remove this assertion?

[hperl]

Because we can't detect double submit any more.

[aeneasr]

Could you briefly explain why we needed this in the first place so I better understand the reason why it's ok to remove this?

[hperl]

Previously, we merged two flows here: The one decoded from the login verifier (verifier param), and the one from the cookie (f param). The code above ensured that these two flows are the same, so that the same flow information ends up in the cookie agan as well as in the consent challenge.

After removing the cookie flow, we do not have to do this any more.

[aeneasr]

See above

[hperl]

@aeneasr what is still needed here?

[aeneasr]

• Handle 500s on reuse gracefully