Fix 500 Internal Server Error on /authn Endpoint in App-Native Flow on Failure Attempts

[KD23243]

Related Issues

• 500 Internal Server Error on /authn Endpoint in App-Native Flow on Failure Attempts When Multiple Authenticators Are Configured product-is#26136

Implementation

This pull request refactors the logic for constructing the redirect URL when a user account is locked in the authentication flow. The main improvement is simplifying and unifying how the base URL for redirection is determined, making the code easier to read and maintain.

Improvements to redirect URL construction:

• Unified the assignment of the base URL for redirection by introducing a new variable baseURL, which is set to either the retry page or the login page depending on whether redirection to the retry page on account lock is enabled. This reduces code duplication and clarifies the redirection logic.
• Removed an unnecessary closing brace after the failed username encoding logic, improving code clarity.

Summary by CodeRabbit

• Refactor
  • Improved internal handling of account lockout error messages and redirect logic to streamline URL construction and parameter appending for better code maintainability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2

[coderabbitai]

Walkthrough

The change refactors URL construction in the USER_IS_LOCKED error handling path within a step handler, introducing a baseURL variable to unify redirect URL building across different execution branches while preserving conditional parameter appending.

Changes

Cohort / File(s)	Summary
Authentication Step Handler Refactoring components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java	Consolidates redirect URL construction logic by extracting a baseURL variable and centralizing final URL building. Separates branch-specific logic (retry page vs. login page selection) from unified URL composition, while maintaining conditional appending of remainingAttempts, lockedReason, and failedUsername parameters.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify that URL parameter concatenation order and conditional logic remain functionally equivalent across both branches
• Confirm that query parameter encoding and escaping are preserved through the refactored structure

Poem

🐰 Unified paths through redirects we weave,
One baseURL to construct and believe,
Branches merge yet logic stands fast,
Cleaner code, same behavior cast.
Authentication flows, tidied with care!

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete compared to the template; it only includes Related Issues and Implementation sections while missing Purpose, Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, and Learning sections.	Complete the PR description by adding the missing required sections from the template, particularly Purpose, Goals, Approach, Release note, Documentation, Automation tests, Security checks, and Test environment information.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the bug fix targeting a specific error (500 Internal Server Error) on a particular endpoint (/authn) in a specific context (App-Native Flow).

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java (1)

1282-1303: Unified baseURL-based redirect for locked accounts looks correct

The refactor cleanly centralizes redirect construction for USER_IS_LOCKED, using baseURL to switch between login and retry endpoints while consistently appending errorCode, authenticators, remaining attempts, lock reason, failed username, and reCaptcha params, so it should not introduce new 500s in this path. Only nit: for consistency with nearby code you may want to use reCaptchaParamString.toString() instead of relying on implicit toString() via + reCaptchaParamString.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b472d5 and b8dd4a2.

📒 Files selected for processing (1)

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java (1 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{py,java,ts,tsx,js,jsx,cs,go,rb,php}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

All public methods should have a docstring

Files:

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java

**/*.{py,java,ts,tsx,js,jsx,cs,go,rb,php,c,cpp,h,hpp}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{py,java,ts,tsx,js,jsx,cs,go,rb,php,c,cpp,h,hpp}: Comments should start with a space and first letter capitalized
Comments should always end with a period

Files:

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java

**/*.java

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.java: If there's a string concatenation in a debug log, then having if (LOG.isDebugEnabled()) is mandatory to avoid unnecessary computation
For simple log messages (e.g., static strings or simple variable interpolation), you can use LOG.debug directly without the debug check

Files:

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java

**/*.{java,ts,tsx,js,jsx,py,cs,go,php}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{java,ts,tsx,js,jsx,py,cs,go,php}: Scrutinize all user-controlled input for potential SQL Injection, Cross-Site Scripting (XSS), or Command Injection
Ensure that no sensitive user data (e.g., PII, credentials) is being logged or sent in error messages

Files:

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java

**/*.{java,ts,tsx,js,jsx,py,cs,go,php,yml,yaml,json,env,properties,conf}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Search for and eliminate any exposed secrets like API keys, passwords, or private tokens

Files:

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java

**/*{Controller,Service,Handler,Endpoint,Route}.{java,ts,tsx,js,jsx,py,cs}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Verify that any new endpoints or data access functions have proper authorization and permission checks

Files:

• components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java

🧬 Code graph analysis (1)

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java (1)

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/ConfigurationFacade.java (1)

• ConfigurationFacade (64-414)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

❌ Patch coverage is 0% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.53%. Comparing base (1ebcdcf) to head (b8dd4a2).
⚠️ Report is 203 commits behind head on master.

Files with missing lines	Patch %	Lines
...ramework/handler/step/impl/DefaultStepHandler.java	0.00%	12 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #7636      +/-   ##
============================================
+ Coverage     50.46%   50.53%   +0.07%     
- Complexity    19246    19845     +599     
============================================
  Files          2093     2121      +28     
  Lines        124187   129879    +5692     
  Branches      25939    27164    +1225     
============================================
+ Hits          62670    65637    +2967     
- Misses        53498    55947    +2449     
- Partials       8019     8295     +276     

Flag	Coverage Δ
unit	35.60% <0.00%> (+0.31%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.