Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inactive Identity Receives Recovery Email #3858

Open
5 tasks done
jonas-siegl opened this issue Mar 28, 2024 · 1 comment
Open
5 tasks done

Inactive Identity Receives Recovery Email #3858

jonas-siegl opened this issue Mar 28, 2024 · 1 comment
Labels
bug Something is not working.

Comments

@jonas-siegl
Copy link

jonas-siegl commented Mar 28, 2024
edited

Preflight checklist

Ory Network Project

No response

Describe the bug

Issue: Despite setting the state of an identity to inactive in Ory Kratos, a recovery email is erroneously sent after submitting the form on the recovery page using the username/email address associated with the deactivated identity.

Expected Behavior: No recovery code / link should be generated and sent to the email address of the identity. Instead, either no email should be sent at all, or alternatively, as with unknown accounts, a special email should be sent.

Impact: Since the identity is deactivated, attempting to use the recovery link / code results in an error. In addition, sending an email with a recovery code / link is unnecessary and only leads to confusion.

The error that is displayed when using the recovery code

If you confirm that this issue qualifies as a bug, I'm willing to fix it. However, please advise if there are any specific considerations to bear in mind, such as whether no email should be dispatched altogether, if an email akin to the one sent to unknown email addresses would be preferable, or if it should be configurable whether an email should be sent.

Reproducing the bug

Steps to reproduce:

  • Start Ory Kratos including Kratos Selfservice UI node
  • Create a new identity
  • Get the ID of the identity
  • Set the state of the identity to inactive: 
    curl --request PATCH -sL --header "Content-Type: application/json" \
--data '[
  {
    "op": "replace",
    "path": "/state",
    "value": "inactive"
  }
]' http://localhost:4434/admin/identities/<identity-id>
  • Go to the recovery page and enter the username / email address of the identity
  • Is: An email with a recovery code / link should now be sent although the identity is deactivated. Using the code or link will of course cause an error.
  • Should be: No code / link should be generated and therefore no email should be sent to the identity.

Relevant log output

No response

Relevant configuration

No response

Version

1.1.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Docker Compose

Additional Context

No response
@jonas-siegl jonas-siegl added the bug Something is not working. label Mar 28, 2024
@vinckr
Copy link
Member

vinckr commented Apr 7, 2024

Hello @jonas-siegl,

I can replicate this behaviour and I agree it would be better if there was no recovery email being sent at all when the identity is inactive.
Out of curiosity, how do you use the inactive state in your use case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonas-siegl @vinckr