Verification email is sent after password recovery #578

flusflas · 2020-07-15T15:11:49Z

Describe the bug

Just after setting a new password following the recovery password/settings flow, a verification email (like the one sent after user registration) is sent to the user.

Reproducing the bug

Steps to reproduce the behavior:

With a user registered (verification via email enabled and a verification email should be sent (I'm using MailSlurper))...

Start account recovery flow:
curl 'http://127.0.0.1:4433/self-service/browser/flows/recovery'
Get <request> code and <csrf_token_cookie>.
Get recovery request context:
curl 'http://127.0.0.1:4433/self-service/browser/flows/requests/recovery?request=<request>' --header 'Cookie: csrf_token=<csrf_token_cookie>'
Get <csrf_token_form_value> from response body (methods.link.config.fields -> csrf_token value)
Complete recovery flow:
curl --request POST 'http://127.0.0.1:4433/self-service/browser/flows/recovery/link?request=<request>' --header 'Cookie: csrf_token=<csrf_token_cookie>' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'csrf_token=<csrf_token_form_value>' --data-urlencode 'email=<email>'
A recovery email should be received with a link and token. Follow this link and get the response cookies (ory_kratos_session and csrf_token) and the new <request> code.
Get settings request context (I'm using admin port because I'm doing it from a backend):
curl 'http://127.0.0.1:4434/self-service/browser/flows/requests/settings?request=<request>' --header 'Cookie: ory_kratos_session=<csrf_token_cookie>'
Get <csrf_token_form_value> from response body (methods.password.config.fields -> csrf_token value)
Complete the settings flow for the password strategy:
curl --location --request POST 'http://127.0.0.1:4433/self-service/browser/flows/settings/strategies/password?request=<request>' --header 'Cookie: csrf_token<csrf_token_cookie>' --form 'password=<new_password>' \ --form 'csrf_token=<csrf_token_form_value>'
At this point, the password has changed and I receive a verification email.

Server configuration

config.yaml

...

selfservice:

  default_browser_return_url: http://127.0.0.1:47100/

  whitelisted_return_urls:
    - http://127.0.0.1:47100

  strategies:
    password:
      enabled: true

  flows:
    login:
      ui_url: http://127.0.0.1:47100/auth/login
      request_lifespan: 10m
      after:
        password:
          hooks:
            - hook: revoke_active_sessions

    registration:
      ui_url: http://127.0.0.1:47100/auth/registration
      request_lifespan: 10m
      after:
        password:
          default_browser_return_url: http://127.0.0.1:47100/auth/registration/success
          hooks:
            - hook: session

    verification:
      enabled: true
      ui_url: http://127.0.0.1:47100/verification/resend

    recovery:
      enabled: true
      ui_url: http://127.0.0.1:47100/recovery
      request_lifespan: 1h
      after:
        default_browser_return_url: https://127.0.0.1:47100/recovery/sent

...

User schema:

{
  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "username": {
          "type": "string",
          "title": "Username",
          "minLength": 6,
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            }
          }
        },
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 6,
          "ory.sh/kratos": {
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
        }
      },
      "required": [
        "username",
        "email"
      ]
    }
  },
  "additionalProperties": false
}

Expected behavior

The verification email shouldn't be sent at the end of the recovery process.

Environment

Version: Kratos v0.4.6
Environment: Ubuntu, running Kratos, PostgreSQL and MailSlurper on Docker Compose

The text was updated successfully, but these errors were encountered:

aeneasr · 2020-07-16T10:07:05Z

I guess the problem is that we don't check if the email is already verified when trying to send the email address!

Closes #578

aeneasr added this to the v0.5.0-alpha.1 milestone Jul 16, 2020

aeneasr added this to To do in Maintainer's Board via automation Jul 16, 2020

aeneasr self-assigned this Jul 16, 2020

aeneasr added investigate bug Something is not working. and removed investigate labels Jul 16, 2020

aeneasr added a commit that referenced this issue Jul 16, 2020

fix: don't resend verification emails once verified

59855c3

Closes #578

aeneasr mentioned this issue Jul 16, 2020

fix: don't resend verification emails once verified #583

Merged

aeneasr closed this as completed in #583 Jul 16, 2020

Maintainer's Board automation moved this from To do to Done Jul 16, 2020

aeneasr added a commit that referenced this issue Jul 16, 2020

fix: don't resend verification emails once verified (#583)

a4d9969

Closes #578

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verification email is sent after password recovery #578

Verification email is sent after password recovery #578

flusflas commented Jul 15, 2020

aeneasr commented Jul 16, 2020

Verification email is sent after password recovery #578

Verification email is sent after password recovery #578

Comments

flusflas commented Jul 15, 2020

aeneasr commented Jul 16, 2020