fix: Resolve several verification problems

Makefile

@@ -84,7 +84,7 @@ quickstart:
 
 quickstart-dev:
 		docker build -f .docker/Dockerfile-build -t oryd/kratos:latest-sqlite .
-		docker pull oryd/kratos-selfservice-ui-node:latest
+		# docker pull oryd/kratos-selfservice-ui-node:latest
 		docker-compose -f quickstart.yml up --build --force-recreate
 
 # Formats the code

cmd/daemon/serve.go

@@ -150,8 +150,8 @@ func sqa(cmd *cobra.Command, d driver.Driver) *metricsx.Service {
 				profile.PublicProfileManagementPath,
 				profile.PublicProfileManagementUpdatePath,
 				verify.PublicVerificationCompletePath,
-				strings.ReplaceAll(verify.PublicVerificationConfirmPath, ":code", ""),
-				strings.ReplaceAll(verify.PublicVerificationInitPath, ":via", ""),
+				strings.ReplaceAll(strings.ReplaceAll(verify.PublicVerificationConfirmPath, ":via", "email"), ":code", ""),
+				strings.ReplaceAll(verify.PublicVerificationInitPath, ":via", "email"),
 				verify.PublicVerificationRequestPath,
 				errorx.ErrorsPath,
 			},

contrib/quickstart/kratos/sqlite/.gitignore

@@ -0,0 +1 @@
+*.sqlite

courier/courier.go

@@ -12,6 +12,8 @@ import (
 	"github.com/pkg/errors"
 	"gopkg.in/gomail.v2"
 
+	"github.com/ory/x/errorsx"
+
 	"github.com/ory/kratos/driver/configuration"
 	"github.com/ory/kratos/x"
 )
@@ -99,11 +101,14 @@ func (m *Courier) watchMessages(ctx context.Context, errChan chan error) {
 		if err := backoff.Retry(func() error {
 			messages, err := m.d.CourierPersister().NextMessages(ctx, 10)
 			if err != nil {
+				if errorsx.Cause(err) == ErrQueueEmpty {
+					return nil
+				}
 				return err
 			}
 
 			for k := range messages {
-				var msg Message = messages[k]
+				var msg = messages[k]
 
 				switch msg.Type {
 				case MessageTypeEmail:
@@ -120,7 +125,8 @@ func (m *Courier) watchMessages(ctx context.Context, errChan chan error) {
 							WithError(err).
 							WithField("smtp_server", fmt.Sprintf("%s:%d", m.dialer.Host, m.dialer.Port)).
 							WithField("smtp_ssl_enabled", m.dialer.SSL).
-							WithField("email_to", msg.Recipient).WithField("email_from", from).
+							// WithField("email_to", msg.Recipient).
+							WithField("message_from", from).
 							Error("Unable to send email using SMTP connection.")
 						continue
 					}
@@ -132,6 +138,12 @@ func (m *Courier) watchMessages(ctx context.Context, errChan chan error) {
 							Error(`Unable to set the message status to "sent".`)
 						return err
 					}
+
+					m.d.Logger().
+						WithField("message_id", msg.ID).
+						WithField("message_type", msg.Type).
+						WithField("message_subject", msg.Subject).
+						Debug("Courier sent out message.")
 				default:
 					return errors.Errorf("received unexpected message type: %d", msg.Type)
 				}

docs/api.swagger.json

@@ -705,26 +705,23 @@
         }
       }
     },
-    "/self-service/browser/flows/verification/confirm/{code}": {
+    "/self-service/browser/flows/verification/init/{via}": {
       "get": {
-        "description": "This endpoint completes a browser-based verification flow.\n\n\u003e This endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...) and HTML Forms.\n\nMore information can be found at [ORY Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).",
-        "consumes": [
-          "application/json",
-          "application/x-www-form-urlencoded"
-        ],
+        "description": "This endpoint initializes a browser-based profile management flow. Once initialized, the browser will be redirected to\n`urls.profile_ui` with the request ID set as a query parameter. If no valid user session exists, a login\nflow will be initialized.\n\n\u003e This endpoint is NOT INTENDED for API clients and only works\nwith browsers (Chrome, Firefox, ...).\n\nMore information can be found at [ORY Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).",
         "schemes": [
           "http",
           "https"
         ],
         "tags": [
           "public"
         ],
-        "summary": "Complete the browser-based verification flows",
-        "operationId": "selfServiceBrowserVerify",
+        "summary": "Initialize browser-based verification flow",
+        "operationId": "initializeSelfServiceBrowserVerificationFlow",
         "parameters": [
           {
             "type": "string",
-            "name": "code",
+            "description": "What to verify\n\nCurrently only \"email\" is supported.",
+            "name": "via",
             "in": "path",
             "required": true
           }
@@ -742,19 +739,29 @@
         }
       }
     },
-    "/self-service/browser/flows/verification/init/{via}": {
+    "/self-service/browser/flows/verification/{via}/confirm/{code}": {
       "get": {
-        "description": "This endpoint initializes a browser-based profile management flow. Once initialized, the browser will be redirected to\n`urls.profile_ui` with the request ID set as a query parameter. If no valid user session exists, a login\nflow will be initialized.\n\n\u003e This endpoint is NOT INTENDED for API clients and only works\nwith browsers (Chrome, Firefox, ...).\n\nMore information can be found at [ORY Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).",
+        "description": "This endpoint completes a browser-based verification flow.\n\n\u003e This endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...) and HTML Forms.\n\nMore information can be found at [ORY Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/selfservice/flows/verify-email-account-activation).",
+        "consumes": [
+          "application/json",
+          "application/x-www-form-urlencoded"
+        ],
         "schemes": [
           "http",
           "https"
         ],
         "tags": [
           "public"
         ],
-        "summary": "Initialize browser-based verification flow",
-        "operationId": "initializeSelfServiceBrowserVerificationFlow",
+        "summary": "Complete the browser-based verification flows",
+        "operationId": "selfServiceBrowserVerify",
         "parameters": [
+          {
+            "type": "string",
+            "name": "code",
+            "in": "path",
+            "required": true
+          },
           {
             "type": "string",
             "description": "What to verify\n\nCurrently only \"email\" is supported.",

identity/manager_test.go

@@ -91,5 +91,9 @@ func TestManager(t *testing.T) {
 		require.NoError(t, reg.IdentityManager().RefreshVerifyAddress(context.Background(), address))
 		assert.NotEqual(t, pc, address.Code)
 		assert.NotEqual(t, ea, address.ExpiresAt)
+
+		fromStore, err := reg.IdentityPool().GetIdentity(context.Background(), original.ID)
+		require.NoError(t, err)
+		assert.NotEqual(t, pc, fromStore.Addresses[0].Code)
 	})
 }

identity/pool.go

@@ -433,8 +433,17 @@ func TestPool(p PrivilegedPool) func(t *testing.T) {
 				}
 			})
 
+			t.Run("case=verify expired should not work", func(t *testing.T) {
+				address := createIdentityWithAddresses(t, -time.Minute, "[email protected]")
+				require.EqualError(t, errorsx.Cause(p.VerifyAddress(context.Background(), address.Code)), sqlcon.ErrNoRows.Error())
+			})
+
+			t.Run("case=create and verify", func(t *testing.T) {
+				require.EqualError(t, errorsx.Cause(p.VerifyAddress(context.Background(), "i-do-not-exist")), sqlcon.ErrNoRows.Error())
+			})
+
 			t.Run("case=create and verify", func(t *testing.T) {
-				address := createIdentityWithAddresses(t, time.Minute, "[email protected]")
+				address := createIdentityWithAddresses(t, time.Minute, "verify.TestPersister.VerifyAddress.valid@ory.sh")
 				require.NoError(t, p.VerifyAddress(context.Background(), address.Code))
 
 				actual, err := p.FindAddressByValue(context.Background(), address.Via, address.Value)

persistence/sql/persister_identity.go

@@ -165,7 +165,9 @@ func (p *Persister) ListIdentities(ctx context.Context, limit, offset int) ([]id
 	is := make([]identity.Identity, 0)
 
 	/* #nosec G201 TableName is static */
-	if err := sqlcon.HandleError(p.GetConnection(ctx).RawQuery(fmt.Sprintf("SELECT * FROM %s LIMIT ? OFFSET ?", new(identity.Identity).TableName()), limit, offset).All(&is)); err != nil {
+	if err := sqlcon.HandleError(p.GetConnection(ctx).
+		RawQuery(fmt.Sprintf("SELECT * FROM %s LIMIT ? OFFSET ?", new(identity.Identity).TableName()), limit, offset).
+		Eager("Addresses").All(&is)); err != nil {
 		return nil, err
 	}
 
@@ -226,7 +228,7 @@ func (p *Persister) DeleteIdentity(ctx context.Context, id uuid.UUID) error {
 
 func (p *Persister) GetIdentity(ctx context.Context, id uuid.UUID) (*identity.Identity, error) {
 	var i identity.Identity
-	if err := p.GetConnection(ctx).Find(&i, id); err != nil {
+	if err := p.GetConnection(ctx).Eager("Addresses").Find(&i, id); err != nil {
 		return nil, sqlcon.HandleError(err)
 	}
 	i.Credentials = nil
@@ -299,17 +301,27 @@ func (p *Persister) VerifyAddress(ctx context.Context, code string) error {
 		return err
 	}
 
-	return sqlcon.HandleError(p.GetConnection(ctx).RawQuery(
+	count, err := p.GetConnection(ctx).RawQuery(
 		/* #nosec G201 TableName is static */
 		fmt.Sprintf(
-			"UPDATE %s SET status = ?, verified = true, verified_at = ?, code = ? WHERE code = ?",
+			"UPDATE %s SET status = ?, verified = true, verified_at = ?, code = ? WHERE code = ? AND expires_at > ?",
 			new(identity.VerifiableAddress).TableName(),
 		),
 		identity.VerifiableAddressStatusCompleted,
 		time.Now().UTC().Round(time.Second),
 		newCode,
 		code,
-	).Exec())
+		time.Now().UTC(),
+	).ExecWithCount()
+	if err != nil {
+		return sqlcon.HandleError(err)
+	}
+
+	if count == 0 {
+		return sqlcon.HandleError(sqlcon.ErrNoRows)
+	}
+
+	return nil
 }
 
 func (p *Persister) UpdateVerifiableAddress(ctx context.Context, address *identity.VerifiableAddress) error {

persistence/sql/persister_session.go

@@ -14,12 +14,14 @@ var _ session.Persister = new(Persister)
 
 func (p *Persister) GetSession(ctx context.Context, sid uuid.UUID) (*session.Session, error) {
 	var s session.Session
-	if err := p.GetConnection(ctx).Eager().Find(&s, sid); err != nil {
+	if err := p.GetConnection(ctx).Find(&s, sid); err != nil {
 		return nil, sqlcon.HandleError(err)
 	}
-	if err := p.injectTraitsSchemaURL(s.Identity); err != nil {
+	i, err := p.GetIdentity(ctx, s.IdentityID)
+	if err != nil {
 		return nil, err
 	}
+	s.Identity = i
 	return &s, nil
 }