kratos
kratos copied to clipboard
ory
feat: disable mail dispatch for invalid recovery email
Added send property for courier.templates.recovery.invalid configuration field, suppressing email sending when recovery email does not exist.
Related issue(s)
#2345
Checklist
- [x] I have read the contributing guidelines.
- [ ] I have referenced an issue containing the design document if my change introduces a new feature.
- [x] I am following the contributing code guidelines.
- [x] I have read the security policy.
- [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security. vulnerability, I confirm that I got green light (please contact [email protected]) from the maintainers to push the changes.
- [x] I have added tests that prove my fix is effective or that my feature works.
- [ ] I have added or changed the documentation.
Further Comments
Included additional configuration field for invalid recovery. I've also considered extending directly email field by send property but it would affect all other flows using the same struct. Extended schema definition. Here I wasn't sure if $ref template can be extended, so just overwrote it. For getEmail cypress command now it's possible to omit check if email is existing.
Codecov Report
Merging #2585 (9e5b402) into master (d8514b5) will increase coverage by
0.00%. The diff coverage is100.00%.
:exclamation: Current head 9e5b402 differs from pull request most recent head 901a7f9. Consider uploading reports for the commit 901a7f9 to get more accurate results
@@ Coverage Diff @@
## master #2585 +/- ##
=======================================
Coverage 75.81% 75.82%
=======================================
Files 302 302
Lines 17784 17789 +5
=======================================
+ Hits 13483 13488 +5
Misses 3270 3270
Partials 1031 1031
| Impacted Files | Coverage Δ | |
|---|---|---|
| driver/config/config.go | 83.18% <100.00%> (+0.05%) |
:arrow_up: |
| selfservice/strategy/link/sender.go | 72.16% <100.00%> (+0.88%) |
:arrow_up: |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Also related to https://github.com/ory/kratos/issues/1835, this is absolutely needed for anything serious in production.
We use Kratos in a privacy-focused organization and we would also really like to disable the "invalid" emails. What is needed to move this PR forward?
Hi, interested party here as we use kratos.
3. If this enabled, the user is mislead thinking that an email was sent but they had a typo and never receive one. Shouldn't we show an error that the email is not known?
It should be possible to configure kratos in such a way that a user cannot see the difference between successful and unsuccessful sending. Having a difference, for example in the form of an error message, reveals information about the set of existing users.
We'll add a message to the reset-link form to warn the user that if they do not receive an email, they should check if they made an error when typing their address, or if they're maybe registered using a different email address.
@mszekiel Do you intend in continuing the PR, still baffles me that this behaviour is the default.