kratos
kratos copied to clipboard
Published
20 hours ago •
ory
ory
Registration flow with an existing email and an insecure password returns only insecure password error
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Network project.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
When submitting a verification flow with an existing email and an insecure password, the flow only returns the error that the password is insecure:
"id":4000005,
"text":"The password can not be used because the password has been found in data breaches and must no longer be used.",
"type":"error",
"context":{
"reason":"the password has been found in data breaches and must no longer be used"
}
}
If the verification flow is submitted with an existing email and a secure but invalid password (does not match the credentials stored) the expected error is returned:
{
"id":4000007,
"text":"An account with the same identifier (email, phone, username, ...) exists already.",
"type":"error",
"context":{
}
}
Reproducing the bug
- Run Kratos v0.11.1 with the check against the "Have I been pwned?" database enabled
- Register an identity
- Create a new registration flow
- Submit the registration flow with the email of the identity created before and a password of "Test1234"
Relevant log output
No response
Relevant configuration
No response
Version
0.11.1
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
