feat: require verified address #1355
Conversation
|
@aeneasr: In addition to the documentation update (which will follow), I would like to clarify one thing: An identity can have multiple verifiable addresses. The current implementation of the PR expects all of these to be verified. This might be an issue. One could change the behavior to make it expect at least one verified address, but this might be problematic as well. In our case, we would like to have the eMail address used for the current login attempt verified. So maybe kind of a configuration with useful defaults is required. So something like this: hook: require_verified_address
config:
verify: all # or alternatively 'one', or 'current' If the config is omitted, If we go this way, how can I get the information about the email address used for the login? But there are also other related topics. In our case, we also support logins with user names. In this case, the expectation is, that at least Any ideas from your side? |
|
What happens if someone's session expires immediately after changing their primary email, and they misspell it? Blocked from logging in because email is unverified and unable to verify because wrong email? Does the email change flow have a verification component in order to successfully apply? |
|
Interesting question the one above. I’d expect the app to not allow changing an email address if there is no another confirmed address on the account. |
|
Hello there, this is a great contribution! Sorry for the late review but heading off to holidays and had a ton of stuff on my plate :) So generally I would suggest to avoid the one / all / current mechanism. If we add more authentication methods, this will get blurier. What for example about OpenID Connect logins that do not have an email address associated? I think the "one" strategy is good enough. If the user has verified an address I think it is safe to assume that the user has passed that challenge. I'm not sure if having multiple addresses be verified would add an additional benefit - on the contrary! Users might be wondering "why do I need to verify several email addresses?" or "I verified my email address why can I not log in?". From my side - the one strategy as the default would be absolutely good enough! :) |
|
On the other hand, if I signed up using an email and a password, I should be able to recover using one of the social registrations via account linking. I did that once with meetup.com. I created an account using facebook sso but I deleted my facebook account and was unable to sign in. I was able to recover the account by signing up with google directly. This linked the account to the old one and all was good. The second thought I have, isn't signing up with social login an implied verification? If I signed up with Google SSO, Google just told you that the identity is genuine. If someone else was able to sign up using my Google account, well, that was a game over on my side because my Google account was already compromised. So a registration via SSO linking implies a verified address, IMO. Enjoy your holidays. |
|
@aeneasr: Yeah, simpler is better :) I'll update the code accordingly next week and will also add documentation. Enjoy the long weekend! |
|
@radekg: Maybe I miss something, but how do you see this PR is related to recovery? Regarding your thoughts about social logins:
I see it exactly as you do: a registration via SSO linking implies a verified address. So this configuration option should not have any effects for social logins. However I don't know how kratos behaves here. @aeneasr: If the user consent kratos to receive the email address from the AP, will it be added to VerifiableAddresses at all. And if yes, is it then marked as verified? |
Sorry, I think I’ve mixed stuff up with #1323 (comment) |
…ss is verified if password method is used
|
@aeneasr: Please take a look. There are some questions (as comments), which I would like to clarify, before finalizing the implementation and based on that updating the documentation. |
There was a problem hiding this comment.
This looks great! Only thing we need to add is some documentation to: https://www.ory.sh/kratos/docs/next/self-service/hooks/#after
It probably also makes sense to only allow this hook for password flows? For OIDC flows I don't think it makes sense?
selfservice/flow/login/hook.go
Outdated
| // why (is there any reason) is it (Flow.Active) not set in the implementation of the corresponding Login | ||
| // method (strategy_login.go:L91 ff and login.go:L51 ff)? | ||
| // this can be easily achieved by the following lines | ||
| // | ||
| // f.Active = identity.CredentialsTypePassword // or identity.CredentialsTypeOidc | ||
| // | ||
| // if err = s.d.LoginFlowPersister().UpdateLoginFlow(r.Context(), f); err != nil { | ||
| // return nil, s.handleLoginError(w, r, f, &p, errors.WithStack(herodot.ErrInternalServerError.WithReason("Could not update flow").WithDebug(err.Error()))) | ||
| // } | ||
| // | ||
| // in the right place. Otherwise the Flow.Active property is never set (only in tests). | ||
| // If done as described above, there wouldn't be a need to pass around the `ct` argument as well, like in this method. | ||
| // So, FMPOV, the following line is just a hack due to the missing implementation described above. |
There was a problem hiding this comment.
So Active refers to the method the user used to sign in / up / verify / ...
So once you e.g. click "sign in with username / password" this would be set to "password". If you use OIDC this would be "oidc". It's basically a hint for the UI implementor.
Therefore, I don't think we need to set it here!
There was a problem hiding this comment.
This is exactly the point. Active is never set. If it would, I would not have implemented the workaround after the comment. Just look for the places Active is used in (where it is set).
The purpose of that property is clear. I just wanted to know why it is never set. If this is a bug, I would then fix it as part of this PR. The relevant places are obvious for me.
There was a problem hiding this comment.
@aeneasr: Since Active is never set, I consider it as a bug and will fix it as part of the next commits.
Yes, I was thinking to adjust the schema for this purpose. Will come with the next commits |
…ured for password login only
…od. Due to this, there is no need for an additional CredentialType attribute, as this information is now available from the flow object itself
|
@aeneasr: Please take a look. If I haven't forgotten anything, this PR should be complete. |
|
Rerunning flaky CI :) |
|
@aeneasr: I need your help. This is first time I have to deal with JS and cypress. I tried to implement the test cases, but unfortunately there were issues running the registration scenario locally. Only after completely rewriting the |
|
While the PR is being worked on I will mark it as a draft. That declutters our review backlog :) Once you're done with your changes and would like someone to review them, mark the PR as ready and request a review from one of the maintainers. Thank you! |
|
@Quasarman: I was on vacation until yesterday and before it, there were some urgent topics in a project I'm working for, which I had to address. |
|
Hello @dadrus , no worries thanks a lot for your efforts! |
|
Nice, I hope you enjoyed your days off @dadrus :) |
|
Definitely :) Recharging batteries feels always good ;) |
…ified_address # Conflicts: # test/e2e/cypress/integration/profiles/verification/registration/errors.spec.js # test/e2e/cypress/integration/profiles/verification/settings/success.spec.js
|
@aeneasr: There are no much changes in the last commit - only some simplifications compared to what you've done during your call. let previousProfile = ''
Cypress.Commands.add('useConfigProfile', (profile) => {
if (profile === previousProfile) {
return
}
cy.readFile(`test/e2e/kratos.${profile}.yml`).then((contents) =>
cy.writeFile(configFile, contents)
)
cy.wait(100)
})Initially I thought, the usage of |
|
@dadrus yes you are right, looks like we don't need the reset method at all :) |
|
I well then remove the above said dead code, also to avoid confusion in the future. When this is done and all the tests are green (my expectation 😉), this PR will be complete. |
Codecov Report
@@ Coverage Diff @@
## master #1355 +/- ##
==========================================
- Coverage 74.19% 74.16% -0.03%
==========================================
Files 258 259 +1
Lines 12577 12618 +41
==========================================
+ Hits 9331 9358 +27
- Misses 2627 2637 +10
- Partials 619 623 +4
Continue to review full report at Codecov.
|
|
Sorry for the breaking test - I had a fix locally but looks like you were faster 😅 |
|
@aeneasr: If you're not going to break any further tests in a review :), I would say I've done everything required for this feature. Last commits have a self explanatory commit comments :), so feel free to merge or ask for further updates ;) |
|
yeah sorry about that again 😓 also LGTM from my side |
|
Don't worry ;) |
|
🥳 🥳 🥳 🥳 🥳 🥳 🥳 🥳 🥳 |
Related issue
@aeneasr: This is a promised PR for #1328.
Proposed changes
As discussed in #1328. The only difference is the configuration. Instead of making the hook available in
beforeproperty, theafteris used as the information about the identity is only available there.Checklist
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.