Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verification email is sent after password recovery #578

Closed
flusflas opened this issue Jul 15, 2020 · 1 comment · Fixed by #583
Closed

Verification email is sent after password recovery #578

flusflas opened this issue Jul 15, 2020 · 1 comment · Fixed by #583
Assignees
@aeneasr
Labels
bug Something is not working.
Milestone
v0.5.0-alpha.1

Comments

@flusflas
Copy link

Describe the bug

Just after setting a new password following the recovery password/settings flow, a verification email (like the one sent after user registration) is sent to the user.

Reproducing the bug

Steps to reproduce the behavior:

With a user registered (verification via email enabled and a verification email should be sent (I'm using MailSlurper))...

  1. Start account recovery flow:
    curl 'http://127.0.0.1:4433/self-service/browser/flows/recovery'
  2. Get <request> code and <csrf_token_cookie>.
  3. Get recovery request context:
    curl 'http://127.0.0.1:4433/self-service/browser/flows/requests/recovery?request=<request>' --header 'Cookie: csrf_token=<csrf_token_cookie>'
  4. Get <csrf_token_form_value> from response body (methods.link.config.fields -> csrf_token value)
  5. Complete recovery flow:
    curl --request POST 'http://127.0.0.1:4433/self-service/browser/flows/recovery/link?request=<request>' --header 'Cookie: csrf_token=<csrf_token_cookie>' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'csrf_token=<csrf_token_form_value>' --data-urlencode 'email=<email>'
  6. A recovery email should be received with a link and token. Follow this link and get the response cookies (ory_kratos_session and csrf_token) and the new <request> code.
  7. Get settings request context (I'm using admin port because I'm doing it from a backend):
    curl 'http://127.0.0.1:4434/self-service/browser/flows/requests/settings?request=<request>' --header 'Cookie: ory_kratos_session=<csrf_token_cookie>'
  8. Get <csrf_token_form_value> from response body (methods.password.config.fields -> csrf_token value)
  9. Complete the settings flow for the password strategy:
    curl --location --request POST 'http://127.0.0.1:4433/self-service/browser/flows/settings/strategies/password?request=<request>' --header 'Cookie: csrf_token<csrf_token_cookie>' --form 'password=<new_password>' \ --form 'csrf_token=<csrf_token_form_value>'
  10. At this point, the password has changed and I receive a verification email.

Server configuration

config.yaml

...

selfservice:

  default_browser_return_url: http://127.0.0.1:47100/

  whitelisted_return_urls:
    - http://127.0.0.1:47100

  strategies:
    password:
      enabled: true

  flows:
    login:
      ui_url: http://127.0.0.1:47100/auth/login
      request_lifespan: 10m
      after:
        password:
          hooks:
            - hook: revoke_active_sessions

    registration:
      ui_url: http://127.0.0.1:47100/auth/registration
      request_lifespan: 10m
      after:
        password:
          default_browser_return_url: http://127.0.0.1:47100/auth/registration/success
          hooks:
            - hook: session

    verification:
      enabled: true
      ui_url: http://127.0.0.1:47100/verification/resend

    recovery:
      enabled: true
      ui_url: http://127.0.0.1:47100/recovery
      request_lifespan: 1h
      after:
        default_browser_return_url: https://127.0.0.1:47100/recovery/sent

...

User schema:

{
  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "username": {
          "type": "string",
          "title": "Username",
          "minLength": 6,
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            }
          }
        },
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 6,
          "ory.sh/kratos": {
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
        }
      },
      "required": [
        "username",
        "email"
      ]
    }
  },
  "additionalProperties": false
}

Expected behavior

The verification email shouldn't be sent at the end of the recovery process.

Environment

  • Version: Kratos v0.4.6
  • Environment: Ubuntu, running Kratos, PostgreSQL and MailSlurper on Docker Compose
@aeneasr aeneasr added this to the v0.5.0-alpha.1 milestone Jul 16, 2020
@aeneasr aeneasr self-assigned this Jul 16, 2020
@aeneasr aeneasr added investigate bug Something is not working. and removed investigate labels Jul 16, 2020
@aeneasr
Copy link
Member

aeneasr commented Jul 16, 2020

I guess the problem is that we don't check if the email is already verified when trying to send the email address!

aeneasr added a commit that referenced this issue Jul 16, 2020
@aeneasr
fix: don't resend verification emails once verified
59855c3 
Closes #578
@aeneasr aeneasr mentioned this issue Jul 16, 2020
Merged
aeneasr added a commit that referenced this issue Jul 16, 2020
@aeneasr
fix: don't resend verification emails once verified (#583)
a4d9969 
Closes #578
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
bug Something is not working.
Projects
None yet
Milestone
v0.5.0-alpha.1
Development

Successfully merging a pull request may close this issue.

fix: don't resend verification emails once verified ory/kratos
2 participants
@aeneasr @flusflas