Handle HTTP HEAD requests by setting response status to 200 OK #6390
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #6390 +/- ##
============================================
- Coverage 46.36% 45.95% -0.41%
- Complexity 14770 15040 +270
============================================
Files 1714 1731 +17
Lines 103938 106554 +2616
Branches 18630 19307 +677
============================================
+ Hits 48195 48972 +777
- Misses 48852 50572 +1720
- Partials 6891 7010 +119
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
PR builder started |
|
|
||
| commonAuthenticationServlet.doHead(request, response); | ||
|
|
||
| verify(response).setStatus(HttpServletResponse.SC_OK); |
There was a problem hiding this comment.
what are we trying to do here? Are you trying to set 200OK status in the servelet response? Ideally the response should have 200 OK and we need to verify it
|
PR builder completed |
There was a problem hiding this comment.
Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/13002694350
...arbon/identity/application/authentication/framework/servlet/CommonAuthenticationServlet.java
Show resolved
Hide resolved
|
Root Cause
The issue arises when a user with a Microsoft Outlook email address, having "Office 365 Advanced Threat Protection" enabled, logs in using a magic link. After receiving the magic link email and clicking the sign-in button, they encounter an error.
Related Issues
Previous Behavior
This issue is caused by the SafeLink protection in Outlook/Office 365, which sends a HEAD request to the original link before redirecting to the browser. WSO2 IS processes the login flow in response to the HEAD request, completing the account login process prematurely. As a result, the magic link becomes invalid, and the user sees an error message when trying to sign in.
Before.mov
Changes in this Pull Request
This PR introduces a method override to handle HTTP HEAD requests in the
CommonAuthenticationServletclass. The server will now respond with a status code of 200 OK to HEAD requests, allowing clients to check resource availability without fetching the full content.Current Behavior
With the new handling of HTTP HEAD requests, when a user clicks the magic link in the email, the server will respond with a 200 OK status for the HEAD request before redirecting the user to the sign-in page. This prevents premature completion of the login flow, ensuring that the magic link remains valid and the user can successfully sign in without encountering the error.
After.mov