"The recovery token is invalid or has already been used" but it's not. #3971

frederikhors · 2024-06-26T12:12:55Z

I'm having an issue with Kratos self hosted.

When I start a new recovery flow with email, I get the email and the link like:

https://custom_domain.com/self-service/recovery?flow=b12ff5cd-09a3-852c-8e27-ca5123489444&token=AtlocRrLsHIr8ZYMRIsFj8QmduKp

If for example I send this link on a chat or there is a mail system (maybe an ANTI-SPAM extension) that "navigates" this link the token is signed in the DB as "used" but it's not!

And when a user clicks that link it gets:

The recovery token is invalid or has already been used.

Is there a way to disable the "flag as used" option in Kratos?

This is tragic!

Version

1.2.0

The text was updated successfully, but these errors were encountered:

frederikhors · 2024-07-04T20:38:26Z

No one? This is very tricky to fix by ourselves.

jonas-jonas · 2024-07-05T11:39:43Z

This is the reason, we introduced the code strategy. Is that an option for you?

frederikhors · 2024-07-05T17:01:22Z

Thank you.

frederikhors added the bug Something is not working. label Jun 26, 2024

frederikhors closed this as completed Jul 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

"The recovery token is invalid or has already been used" but it's not. #3971

"The recovery token is invalid or has already been used" but it's not. #3971

frederikhors commented Jun 26, 2024 •

edited

Loading

frederikhors commented Jul 4, 2024

jonas-jonas commented Jul 5, 2024

frederikhors commented Jul 5, 2024

"The recovery token is invalid or has already been used" but it's not. #3971

"The recovery token is invalid or has already been used" but it's not. #3971

Comments

frederikhors commented Jun 26, 2024 • edited Loading

Version

frederikhors commented Jul 4, 2024

jonas-jonas commented Jul 5, 2024

frederikhors commented Jul 5, 2024

frederikhors commented Jun 26, 2024 •

edited

Loading