Add proper status for failed nodes.

[inthirakumaaran]

Proposed changes in this pull request

Fix flow status in the fail() function

Issue

• fail() adaptive function returns SUCCESS_COMPLETED in API based auth flow product-is#24362

[sonarqubecloud]

Quality Gate failed

Failed conditions
B Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.85%. Comparing base (55ffca5) to head (45fc74d).
Report is 900 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #6672      +/-   ##
============================================
+ Coverage     47.37%   47.85%   +0.48%     
- Complexity    15890    16150     +260     
============================================
  Files          1820     1823       +3     
  Lines        109188   110133     +945     
  Branches      20426    20395      -31     
============================================
+ Hits          51726    52708     +982     
+ Misses        50293    50178     -115     
- Partials       7169     7247      +78     

Flag	Coverage Δ
unit	32.01% <100.00%> (+0.23%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[PasinduYeshan]

Observation on Basic Auth failure response:

Without the fix:
200

{
    "flowStatus": "SUCCESS_COMPLETED",
    "authData": {
        "error_description": "Password has expired.",
        "error": "ABA-60003"
    }
}

With the fix:
400 Bad Request

{
    "code": "ABA-60002",
    "message": "ABA-60003 - Password has expired.",
    "description": "Authentication flow has concluded with a failure.",
    "traceId": "65a09c57-6c19-4241-af0f-7136ed669598"
}

This constitutes a breaking change, especially for clients or consumers that relied on the previous 200 OK response pattern. Any logic keyed on status code or "flowStatus" will likely need updating to align with the new error structure.

[inthirakumaaran]

@PasinduYeshan

However, in the standard (UI-based) login flow, we maintain the current behavior (status code will be 200). For app-native authentication, this would be a significant change but one we should accept in order to ensure the correct behavior. On that note, we don't need a flowStatus for the FAIL_COMPLETED flow.

[Lakshan-Banneheke]

Since this change only impacts users on version 7.0.0 and above, specifically when using the fail() function in adaptive scripts with app-native authentication, it has been agreed upon by the stakeholders to make a configuration available on demand and proceed with the proposed fix without introducing a config.

[Copilot]

Pull Request Overview

This PR ensures that when authentication fails, the flow status is explicitly marked as FAIL_COMPLETED on the request.

• Sets the FLOW_STATUS attribute to FAIL_COMPLETED in the handleAuthFail method.
• Corrects the flow status handling for failed nodes.

Comments suppressed due to low confidence (2)

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/sequence/impl/GraphBasedSequenceHandler.java:458

• Add or update unit/integration tests to verify that the FLOW_STATUS attribute is set to FAIL_COMPLETED on the request when authentication fails.

            request.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, AuthenticatorFlowStatus.FAIL_COMPLETED);

components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/sequence/impl/GraphBasedSequenceHandler.java:458

• [nitpick] Consider extracting status updates into a shared helper or constant-driven utility method to ensure consistency across different failure handling paths.

            request.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, AuthenticatorFlowStatus.FAIL_COMPLETED);

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/15754054721

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/15754054721
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/15754568261

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/15754568261
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/15754568261