-
-
Notifications
You must be signed in to change notification settings - Fork 931
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Panic on recovery for deactivated user #1794
Comments
Nice find! Any fixes welcomed! |
Hi @LeonidChistov , @aeneasr , I think expected behavior should be "content of email sent to deactivated user should be similar with content of email sent to invalid user", what do you think? |
Yes, agreed! Regarding the issue, I think this happens when we send a recovery link, then deactivate the user, then the user opens the link! |
@aeneasr Right now deactivation and sending of the recovery link may happen in any order. But if recovery link sending will be fixed for deactivated user to behave exactly as for invalid user, then only "send recovery link" -> "deactivate" -> "open link" will cause the panic, yes. |
@aeneasr , @LeonidChistov , |
Nice :) |
Describe the bug
When deactivated user opens recovery link from the recovery email, following error message appears in Kratos log and
500
HTTP error code is reported for call to `/self-service/recovery?flow=<..>."Reproducing the bug
Steps to reproduce the behavior:
Expected behavior
No panic shall appear in Kratos logs and service shall respond with some 4xx HTTP error code that may be handled by browser or redirect to error page.
Also, recovery email could explicitly say that account is deactivated and contain no recovery link, but it looks more like a separate feature request.
Environment
The text was updated successfully, but these errors were encountered: