Email update does not indicate `show_verification_ui` if session is no longer privileged

[aeneasr]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

If the user has a privileged session (i.e. less than 15m since login), it works fine. When trying to change the email, I get a 200 and a show_verification_ui and redirect_browser_to inside the continue_with which enables me to redirect user to the verification page and then redirect user back to settings page after verification.

However, the problem is when the user does not have a privileged session (which I assume will be the most common route, unless we change the privileged session expiry to something higher).

When the session is not privileged, I will receive a 403 and a redirect_browser_to to the login screen with refresh=true.
But the redirect_browser_to typically looks like this:

https://auth-client.dev.zaptec.com/self-service/login/browser?refresh=true&return_to=https%3A%2F%2Fagitated-wiles-v4k99pkyp9.projects.oryapis.com%2Fself-service%2Fsettings%3Fflow%3D668ab586-449b-431b-9556-1be38a72f028

It sends the user to the login screen, with a return_to back to the settings page. Which means it skips the whole verification ui, even though an email is sent to the user.

Reproducing the bug

See above

Relevant log output

No response

Relevant configuration

No response

Version

master

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response