fix: false-positives for requiring re-authentication on update (#3421)

ory · Aug 8, 2023 · ce8139f · ce8139f
1 parent aa123f7
commit ce8139f
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/identity/credentials.go b/identity/credentials.go
@@ -237,7 +237,14 @@ func CredentialsEqual(a, b map[CredentialsType]Credentials) bool {
 			return false
 		}
 
-		if !reflect.DeepEqual(expect.Identifiers, actual.Identifiers) {
+		expectIdentifiers, actualIdentifiers := make(map[string]struct{}, len(expect.Identifiers)), make(map[string]struct{}, len(actual.Identifiers))
+		for _, i := range expect.Identifiers {
+			expectIdentifiers[i] = struct{}{}
+		}
+		for _, i := range actual.Identifiers {
+			actualIdentifiers[i] = struct{}{}
+		}
+		if !reflect.DeepEqual(expectIdentifiers, actualIdentifiers) {
 			return false
 		}
 	}

diff --git a/identity/manager_test.go b/identity/manager_test.go
@@ -9,6 +9,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/x/pointerx"
+
 	"github.com/gofrs/uuid"
 
 	"github.com/ory/x/sqlxx"
@@ -28,6 +30,7 @@ import (
 func TestManager(t *testing.T) {
 	conf, reg := internal.NewFastRegistryWithMocks(t)
 	testhelpers.SetDefaultIdentitySchema(conf, "file://./stub/manager.schema.json")
+	extensionSchemaID := testhelpers.UseIdentitySchema(t, conf, "file://./stub/extension.schema.json")
 	conf.MustSet(ctx, config.ViperKeyPublicBaseURL, "https://www.ory.sh/")
 	conf.MustSet(ctx, config.ViperKeyCourierSMTPURL, "smtp://foo@[email protected]/")
 
@@ -248,6 +251,45 @@ func TestManager(t *testing.T) {
 			checkExtensionFields(fromStore, "[email protected]")(t)
 		})
 
+		t.Run("case=should update unprotected traits with multiple credential identifiers", func(t *testing.T) {
+			original := identity.NewIdentity(extensionSchemaID)
+			original.Traits = identity.Traits(`{"email": "[email protected]", "names": ["username1", "username2"], "age": 30}`)
+			require.NoError(t, reg.IdentityManager().Create(ctx, original))
+			assert.Len(t, original.Credentials[identity.CredentialsTypePassword].Identifiers, 3)
+
+			original.Traits = identity.Traits(`{"email": "[email protected]", "names": ["username1", "username2"], "age": 31}`)
+			require.NoError(t, reg.IdentityManager().Update(ctx, original))
+
+			fromStore, err := reg.PrivilegedIdentityPool().GetIdentityConfidential(ctx, original.ID)
+			require.NoError(t, err)
+			assert.JSONEq(t, string(original.Traits), string(fromStore.Traits))
+		})
+
+		t.Run("case=should update unprotected traits with verified user", func(t *testing.T) {
+			email := x.NewUUID().String() + "@ory.sh"
+			original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
+			original.Traits = newTraits(email, "initial")
+			require.NoError(t, reg.IdentityManager().Create(ctx, original))
+
+			// mock successful verification process
+			addr := original.VerifiableAddresses[0]
+			addr.Verified = true
+			addr.VerifiedAt = pointerx.Ptr(sqlxx.NullTime(time.Now().UTC()))
+			require.NoError(t, reg.PrivilegedIdentityPool().UpdateVerifiableAddress(ctx, &addr))
+
+			// reload to properly set the verified address
+			var err error
+			original, err = reg.PrivilegedIdentityPool().GetIdentityConfidential(ctx, original.ID)
+			require.NoError(t, err)
+
+			original.Traits = newTraits(email, "updated")
+			require.NoError(t, reg.IdentityManager().Update(ctx, original))
+
+			fromStore, err := reg.PrivilegedIdentityPool().GetIdentityConfidential(ctx, original.ID)
+			require.NoError(t, err)
+			assert.JSONEq(t, string(original.Traits), string(fromStore.Traits))
+		})
+
 		t.Run("case=changing recovery address removes it from the store", func(t *testing.T) {
 			originalEmail := x.NewUUID().String() + "@ory.sh"
 			original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)