feat: login with code

identity/credentials.go

@@ -55,6 +55,8 @@ func (c CredentialsType) ToUiNodeGroup() node.UiNodeGroup {
  return node.WebAuthnGroup
  case CredentialsTypeLookup:
  return node.LookupGroup
+ case CredentialsTypeCodeAuth:
+ return node.CodeGroup
  default:
  return node.DefaultGroup
  }
@@ -67,6 +69,7 @@ const (
  CredentialsTypeTOTP CredentialsType = "totp"
  CredentialsTypeLookup CredentialsType = "lookup_secret"
  CredentialsTypeWebAuthn CredentialsType = "webauthn"
+ CredentialsTypeCodeAuth CredentialsType = "code"
 )
 
 const (
@@ -84,6 +87,7 @@ func ParseCredentialsType(in string) (CredentialsType, bool) {
  CredentialsTypeTOTP,
  CredentialsTypeLookup,
  CredentialsTypeWebAuthn,
+ CredentialsTypeCodeAuth,
  CredentialsTypeRecoveryLink,
  CredentialsTypeRecoveryCode,
  } {

identity/credentials_code.go

@@ -0,0 +1,9 @@
+package identity
+
+// CredentialsOTP represents an OTP code
+//
+// swagger:model identityCredentialsOTP
+type CredentialsOTP struct {
+ // CodeHMAC represents the HMACed value of the login/registration code
+ CodeHMAC string `json:"code_hmac"`
+}

selfservice/flow/recovery/flow.go

@@ -133,7 +133,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques
  }
 
  if strategy != nil {
- flow.Active = sqlxx.NullString(strategy.RecoveryNodeGroup())
+ flow.Active = sqlxx.NullString(strategy.NodeGroup())
  if err := strategy.PopulateRecoveryMethod(r, flow); err != nil {
  return nil, err
  }

selfservice/flow/recovery/handler.go

@@ -430,12 +430,12 @@ func (h *Handler) updateRecoveryFlow(w http.ResponseWriter, r *http.Request, ps
  } else if errors.Is(err, flow.ErrCompletedByStrategy) {
  return
  } else if err != nil {
- h.d.RecoveryFlowErrorHandler().WriteFlowError(w, r, f, ss.RecoveryNodeGroup(), err)
+ h.d.RecoveryFlowErrorHandler().WriteFlowError(w, r, f, ss.NodeGroup(), err)
  return
  }
 
  found = true
- g = ss.RecoveryNodeGroup()
+ g = ss.NodeGroup()
  break
  }
 

selfservice/flow/recovery/strategy.go

@@ -26,7 +26,7 @@ const (
 type (
  Strategy interface {
  RecoveryStrategyID() string
- RecoveryNodeGroup() node.UiNodeGroup
+ NodeGroup() node.UiNodeGroup
  PopulateRecoveryMethod(*http.Request, *Flow) error
  Recover(w http.ResponseWriter, r *http.Request, f *Flow) (err error)
  }

selfservice/flow/verification/flow.go

@@ -132,7 +132,7 @@ func NewFlow(conf *config.Config, exp time.Duration, csrf string, r *http.Reques
  }
 
  if strategy != nil {
- f.Active = sqlxx.NullString(strategy.VerificationNodeGroup())
+ f.Active = sqlxx.NullString(strategy.NodeGroup())
  if err := strategy.PopulateVerificationMethod(r, f); err != nil {
  return nil, err
  }

selfservice/flow/verification/handler.go

@@ -420,12 +420,12 @@ func (h *Handler) updateVerificationFlow(w http.ResponseWriter, r *http.Request,
  } else if errors.Is(err, flow.ErrCompletedByStrategy) {
  return
  } else if err != nil {
- h.d.VerificationFlowErrorHandler().WriteFlowError(w, r, f, ss.VerificationNodeGroup(), err)
+ h.d.VerificationFlowErrorHandler().WriteFlowError(w, r, f, ss.NodeGroup(), err)
  return
  }
 
  found = true
- g = ss.VerificationNodeGroup()
+ g = ss.NodeGroup()
  break
  }
 

selfservice/flow/verification/strategy.go

@@ -26,7 +26,7 @@ const (
 type (
  Strategy interface {
  VerificationStrategyID() string
- VerificationNodeGroup() node.UiNodeGroup
+ NodeGroup() node.UiNodeGroup
  PopulateVerificationMethod(*http.Request, *Flow) error
  Verify(w http.ResponseWriter, r *http.Request, f *Flow) (err error)
  SendVerificationEmail(context.Context, *Flow, *identity.Identity, *identity.VerifiableAddress) error

selfservice/strategy/code/.schema/login.schema.json

@@ -0,0 +1,27 @@
+{
+ "$id": "https://schemas.ory.sh/kratos/selfservice/strategy/code/login.schema.json",
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "type": "object",
+ "properties": {
+ "method": {
+ "type": "string",
+ "enum": [
+ "code"
+ ]
+ },
+ "code": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string",
+ "format": "email"
+ },
+ "flow": {
+ "type": "string",
+ "format": "uuid"
+ },
+ "csrf_token": {
+ "type": "string"
+ }
+ }
+}

selfservice/strategy/code/code_login.go

@@ -0,0 +1,22 @@
+package code
+
+import (
+ "database/sql"
+
+ "github.com/gofrs/uuid"
+)
+
+type LoginRegistrationCode struct {
+ // ID is the primary key
+ //
+ // required: true
+ // type: string
+ // format: uuid
+ ID uuid.UUID `json:"id" db:"id" faker:"-"`
+
+ // CodeHMAC represents the HMACed value of the login/registration code
+ CodeHMAC string `json:"-" db:"code_hmac"`
+
+ // UsedAt is the timestamp of when the code was used or null if it wasn't yet
+ UsedAt sql.NullTime `json:"-" db:"used_at"`
+}

selfservice/strategy/code/schema.go

@@ -12,3 +12,6 @@ var recoveryMethodSchema []byte
 
 //go:embed .schema/verification.schema.json
 var verificationMethodSchema []byte
+
+//go:embed .schema/login.schema.json
+var loginMethodSchema []byte

selfservice/strategy/code/strategy.go

@@ -9,7 +9,9 @@ import (
  "github.com/ory/kratos/identity"
  "github.com/ory/kratos/schema"
  "github.com/ory/kratos/selfservice/errorx"
+ "github.com/ory/kratos/selfservice/flow/login"
  "github.com/ory/kratos/selfservice/flow/recovery"
+ "github.com/ory/kratos/selfservice/flow/registration"
  "github.com/ory/kratos/selfservice/flow/settings"
  "github.com/ory/kratos/selfservice/flow/verification"
  "github.com/ory/kratos/session"
@@ -28,6 +30,9 @@ var _ verification.Strategy = new(Strategy)
 var _ verification.AdminHandler = new(Strategy)
 var _ verification.PublicHandler = new(Strategy)
 
+var _ login.Strategy = new(Strategy)
+var _ registration.Strategy = new(Strategy)
+
 type (
  // FlowMethod contains the configuration for this selfservice strategy.
  FlowMethod struct {
@@ -65,6 +70,12 @@ type (
  verification.StrategyProvider
  verification.HookExecutorProvider
 
+ login.StrategyProvider
+ login.HookExecutorProvider
+ login.FlowPersistenceProvider
+
+ registration.StrategyProvider
+
  RecoveryCodePersistenceProvider
  VerificationCodePersistenceProvider
  SenderProvider
@@ -82,11 +93,7 @@ func NewStrategy(deps strategyDependencies) *Strategy {
  return &Strategy{deps: deps, dx: decoderx.NewHTTP()}
 }
 
-func (s *Strategy) RecoveryNodeGroup() node.UiNodeGroup {
- return node.CodeGroup
-}
-
-func (s *Strategy) VerificationNodeGroup() node.UiNodeGroup {
+func (s *Strategy) NodeGroup() node.UiNodeGroup {
  return node.CodeGroup
 }
 

selfservice/strategy/code/strategy_login.go

@@ -0,0 +1,119 @@
+package code
+
+import (
+ "bytes"
+ "context"
+ "encoding/json"
+ "net/http"
+
+ "github.com/gofrs/uuid"
+ "github.com/ory/herodot"
+ "github.com/ory/kratos/identity"
+ "github.com/ory/kratos/selfservice/flow"
+ "github.com/ory/kratos/selfservice/flow/login"
+ "github.com/ory/kratos/session"
+ "github.com/ory/kratos/text"
+ "github.com/ory/kratos/ui/node"
+ "github.com/ory/kratos/x"
+ "github.com/ory/x/decoderx"
+ "github.com/ory/x/stringsx"
+)
+
+var _ login.Strategy = new(Strategy)
+
+type loginSubmitPayload struct {
+ Method string `json:"method"`
+ CSRFToken string `json:"csrf_token"`
+ Code string `json:"code"`
+ Identifier string `json:"identifier"`
+}
+
+func (s *Strategy) RegisterLoginRoutes(*x.RouterPublic) {
+}
+
+func (s *Strategy) ID() identity.CredentialsType {
+ return identity.CredentialsTypeCodeAuth
+}
+
+func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context) session.AuthenticationMethod {
+ return session.AuthenticationMethod{
+ Method: identity.CredentialsTypeCodeAuth,
+ AAL: identity.AuthenticatorAssuranceLevel2,
+ }
+}
+
+func (s *Strategy) HandleLoginError(w http.ResponseWriter, r *http.Request, flow *login.Flow, body *loginSubmitPayload, err error) error {
+ if flow != nil {
+ email := ""
+ if body != nil {
+ email = body.Identifier
+ }
+
+ flow.UI.SetCSRF(s.deps.GenerateCSRFToken(r))
+ flow.UI.GetNodes().Upsert(
+ node.NewInputField("identifier", email, node.CodeGroup, node.InputAttributeTypeEmail, node.WithRequiredInputAttribute).
+ WithMetaLabel(text.NewInfoNodeInputEmail()),
+ )
+ }
+
+ return err
+}
+
+func (s *Strategy) PopulateLoginMethod(r *http.Request, requestedAAL identity.AuthenticatorAssuranceLevel, lf *login.Flow) error {
+ if lf.Type != flow.TypeBrowser {
+ return nil
+ }
+
+ if requestedAAL == identity.AuthenticatorAssuranceLevel2 {
+ return nil
+ }
+
+ lf.UI.SetCSRF(s.deps.GenerateCSRFToken(r))
+ lf.UI.GetNodes().Upsert(
+ node.NewInputField("identifier", "", node.CodeGroup, node.InputAttributeTypeEmail, node.WithRequiredInputAttribute).
+ WithMetaLabel(text.NewInfoNodeInputEmail()),
+ )
+ return nil
+}
+
+func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, identityID uuid.UUID) (i *identity.Identity, err error) {
+ if err := login.CheckAAL(f, identity.AuthenticatorAssuranceLevel1); err != nil {
+ return nil, err
+ }
+
+ if err := flow.MethodEnabledAndAllowedFromRequest(r, s.ID().String(), s.deps); err != nil {
+ return nil, err
+ }
+
+ var p loginSubmitPayload
+ if err := s.dx.Decode(r, &p,
+ decoderx.HTTPDecoderSetValidatePayloads(true),
+ decoderx.MustHTTPRawJSONSchemaCompiler(loginMethodSchema),
+ decoderx.HTTPDecoderAllowedMethods("POST"),
+ decoderx.HTTPDecoderJSONFollowsFormFormat()); err != nil {
+ return nil, s.HandleLoginError(w, r, f, &p, err)
+ }
+
+ if err := flow.EnsureCSRF(s.deps, r, f.Type, s.deps.Config().DisableAPIFlowEnforcement(r.Context()), s.deps.GenerateCSRFToken, p.CSRFToken); err != nil {
+ return nil, s.HandleLoginError(w, r, f, &p, err)
+ }
+
+ i, c, err := s.deps.PrivilegedIdentityPool().FindByCredentialsIdentifier(r.Context(), s.ID(), p.Identifier)
+
+ if err != nil {
+ return nil, s.HandleLoginError(w, r, f, &p, err)
+ }
+
+ var o identity.CredentialsOTP
+ d := json.NewDecoder(bytes.NewBuffer(c.Config))
+ if err := d.Decode(&o); err != nil {
+ return nil, herodot.ErrInternalServerError.WithReason("The password credentials could not be decoded properly").WithDebug(err.Error()).WithWrap(err)
+ }
+
+ f.Active = identity.CredentialsTypeCodeAuth
+ if err = s.deps.LoginFlowPersister().UpdateLoginFlow(r.Context(), f); err != nil {
+ return nil, s.HandleLoginError(w, r, f, &p, err)
+ }
+
+ return i, nil
+}

selfservice/strategy/code/strategy_recovery.go

@@ -281,7 +281,7 @@ func (s Strategy) isCodeFlow(f *recovery.Flow) bool {
  if err != nil {
  return false
  }
- return value == s.RecoveryNodeGroup().String()
+ return value == s.NodeGroup().String()
 }
 
 func (s *Strategy) Recover(w http.ResponseWriter, r *http.Request, f *recovery.Flow) (err error) {
@@ -539,13 +539,13 @@ func (s *Strategy) recoveryHandleFormSubmission(w http.ResponseWriter, r *http.R
 
  f.UI.SetCSRF(s.deps.GenerateCSRFToken(r))
 
- f.Active = sqlxx.NullString(s.RecoveryNodeGroup())
+ f.Active = sqlxx.NullString(s.NodeGroup())
  f.State = recovery.StateEmailSent
  f.UI.Messages.Set(text.NewRecoveryEmailWithCodeSent())
  f.UI.Nodes.Append(node.NewInputField("code", nil, node.CodeGroup, node.InputAttributeTypeText, node.WithRequiredInputAttribute).
  WithMetaLabel(text.NewInfoNodeLabelRecoveryCode()),
  )
- f.UI.Nodes.Append(node.NewInputField("method", s.RecoveryNodeGroup(), node.CodeGroup, node.InputAttributeTypeHidden))
+ f.UI.Nodes.Append(node.NewInputField("method", s.NodeGroup(), node.CodeGroup, node.InputAttributeTypeHidden))
 
  f.UI.
  GetNodes().

selfservice/strategy/code/strategy_verification.go

@@ -48,7 +48,7 @@ func (s *Strategy) PopulateVerificationMethod(r *http.Request, f *verification.F
  )
  // Required for the re-send code button
  nodes.Append(
- node.NewInputField("method", s.VerificationNodeGroup(), node.CodeGroup, node.InputAttributeTypeHidden),
+ node.NewInputField("method", s.NodeGroup(), node.CodeGroup, node.InputAttributeTypeHidden),
  )
  f.UI.Messages.Set(text.NewVerificationEmailWithCodeSent())
  default: