Incorrect HTTP code when attempting to create a recovery link for non-existing user

[constantoine]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Upon calling the /admin/recovery/link route with an identity_id that does not exist, an HTTP 400 status code is sent back, when a 404 is what would have been expected (As the OpenAPI would have let think that this route can indeed return a 404 error.

This seems to be related to #1664 except there seems to be a discrepancy between the issue (returning a 404 error when the body is invalid, because the identity_id would be empty and as such not correspond to an existing identity) and what the fix actually did (if an identity is not found, return a 400)

Reproducing the bug

• Make API request on /admin/recovery/link with an identity_id value that does not match an existing identity
• Receive a 400 with error.reason field being set to The requested identity id does not exist.

Relevant log output

No response

Relevant configuration

No response

Version

0.13

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[alnr]

What is the problem, exactly? Returning 400 here for an identity ID which does not exist seems OK to me semantically. The OpenAPI spec also lists 400 as a possible error code.

[constantoine]

As the spec lists 404 as a possible error, and because it's not documented in the OpenAPI what cases cause what error, it is just something we assumed

Are there cases that can trigger a 404?