Incorrect HTTP code when attempting to create a recovery link for non-existing user
constantoine opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Upon calling the /admin/recovery/link
route with an identity_id
that does not exist, an HTTP 400 status code is sent back, when a 404 is what would have been expected (As the OpenAPI would have let think that this route can indeed return a 404 error.
This seems to be related to #1664 except there seems to be a discrepancy between the issue (returning a 404 error when the body is invalid, because the identity_id would be empty and as such not correspond to an existing identity) and what the fix actually did (if an identity is not found, return a 400)
Reproducing the bug
- Make API request on
/admin/recovery/link
with anidentity_id
value that does not match an existing identity - Receive a 400 with
error.reason
field being set toThe requested identity id does not exist.
Relevant log output
No response
Relevant configuration
No response
Version
0.13
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
What is the problem, exactly? Returning 400 here for an identity ID which does not exist seems OK to me semantically. The OpenAPI spec also lists 400 as a possible error code.
As the spec lists 404 as a possible error, and because it's not documented in the OpenAPI what cases cause what error, it is just something we assumed
Are there cases that can trigger a 404?