-
-
Notifications
You must be signed in to change notification settings - Fork 954
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow account recovery for identities without email address #1419
Comments
@aeneasr I may be misunderstanding something, but the docs you linked to show how to recover an account with an email address. The docs also say that is currently the only supported method:
|
Ah, my bad |
However, I believe it should work also if you don't have an email. It generates a link:
Have you tried if this works? |
{
"schema_id": "default",
"traits": {
"username": "test"
}
}
[
{
"id": "36fe1677-83b6-4b44-87e3-c6dee4c2d160",
"schema_id": "default",
"schema_url": "https://mydomain.com/.ory/kratos/public/schemas/default",
"traits": {
"username": "test"
}
}
]
{
"expires_in": "12h",
"identity_id": "36fe1677-83b6-4b44-87e3-c6dee4c2d160"
} returns: {
"error": {
"code": 400,
"status": "Bad Request",
"reason": "The identity does not have any recovery addresses set.",
"message": "The request was malformed or contained invalid parameters"
}
} |
Ok, tracked as a feature :) I believe we're currently making sure that recovery only really works when a recovery mechanism is in place for the user. However, it does make sense to skip this check for admins :) |
Great, thanks! |
There's a test case for this so if the test case is inverted I think that serves a good basis for implementation if anyone wants to tackle this: kratos/selfservice/strategy/link/strategy_recovery_test.go Lines 73 to 83 in 7b8d59f
Instead that should probably look more like this: kratos/selfservice/strategy/link/strategy_recovery_test.go Lines 85 to 106 in 7b8d59f
|
hey @aeneasr, i'm interested in giving this a shot if no one else is working on it yet! |
That would be awesome! :) As far as I know noone's working on it right now |
i can check this , if not already worked on |
@aeneasr Looks like the /recovery/link endpoint is open on public port also (redirect to admin port). code here . Should this endpoint not be blocked on public port since the use case for this api is for admin to invite new users .
|
It is expected for the admin port to be protected. The redirect helps if one confused the port, for example during development. |
@dibyajyotibehera are you still on this issue? Maybe I could help somehow? |
@abador - edit - no i am not working on it now. there is a slack thread you might want to check- https://ory-community.slack.com/archives/C012USDT5QQ/p1629889562018400 . Had some ideas but not sure if thats the right way to move forward. |
@aeneasr @dibyajyotibehera I needed to run migrations-replace or the errors prevented the script from finishing. Sorry it took so long :) |
For instances where identities don't require an email address, it would be useful to still allow account recovery. Since it's just a link, an admin could create it and send it to the user themselves.
The text was updated successfully, but these errors were encountered: