Recovery emails are sent to inactive identities

Question

Recovery emails are sent to inactive identities

Opened this issue a year ago · 0 comments

BrandonNoad commented a year ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

If an inactive identity goes through the Recovery flow, they receive the recovery email with the code in it. After submitting the code, they receive a "message":"identity is disabled","reason":"This account was disabled." unauthorized/401 error.

I feel like they shouldn’t receive the email with the code. If Notify unknown recipients is enabled, then perhaps inactive identities would receive that email instead.

Reproducing the bug

PATCH an existing identity so that it has state: 'inactive' (ensure you have access to this identity's email)
Go to the Recovery page, and submit the email of the inactive identity
Wait for the email to be delivered and copy the recovery code from the email
Submit the recovery code form

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

No response