Mark email addresses as valid after completing admin initiated recovery (invite) flow with code method
winterec opened this issue · 1 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
I'm implementing an invitation flow by creating identities and then sending an admin initiated recovery link with the code method, as described here: https://www.ory.sh/docs/kratos/manage-identities/invite-users
After the users complete the recovery flow their email address is still marked as unverified in identity_verifiable_addresses, which would prevent them from logging in when the require_verified_address hook is enabled.
Kratos currently has logic to prevent recovery code flows from marking the address as verified only if the flow are admin-initiated. See below link.
I think this could probably be removed entirely, or at least made configurable. Presuming that the recovery link and code were sent to the user via email out of band from Kratos, then the email address can be considered verified once the recovery flow has been completed.
By the way this logic is the only place the RecoveryCodeTypeSelfService/RecoveryCodeTypeAdmin enum values are checked in the codebase so if this logic is removed then recording those may also be redundant.
Reproducing the bug
Create and complete an admin initiated recovery code flow, then observe that verified is false in identity_recovery_addresses.
Relevant log output
No response
Relevant configuration
No response
Version
v1.2.0-distroless
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response