network Submitting Settings Flow with email verification enabled produces error 500

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] This issue affects my Ory Network project.
[X] I have joined the Ory Community Slack.
[X] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Our e2e test executes the following steps:

Create a new user.
A login refresh with a wrong password.
A login refresh with the correct password.
A settings flow with a password that is too short.
A login refresh with the correct password.
A settings flow with a proper new password. At this step we get the following error: { “code”: 500, “status”: “Internal Server Error”, “request”: “45f5fbc6-9029-9d23-8faa-8b239fbfd6fa”, “message”: “named insert: ERROR: insert on table \“identity_verification_codes\” violates foreign key constraint \“identity_verification_codes_identity_verifiable_addresses_id_fk\” (SQLSTATE 23503)” }

When I do the same steps manually, which is of course slower, they work.

Theses are the executed requests: requests.txt

Reproducing the bug

execute these provided requests (most likely only when executed quickly enough)

Relevant log output

No response

Relevant configuration

No response

Version

current on your servers

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Ory Network

Additional Context

No response

May 10 '23 17:05 finsterwalder

I noticed that the problem also occurs, when steps 2-4 are removed. So just correctly changing the password also produces the error.

May 11 '23 10:05 finsterwalder

Thanks for the report and investigation. This looks like a race condition and we should fix this.

May 11 '23 12:05 jonas-jonas

I looked into this and couldn't reproduce the issue using the account experience (managed UI) in an e2e test setup and after further inspection, a race condition doesn't sound too plausible anymore. The verifiable address should be present correctly, depending on the way the identity is created.

Are you testing via APIs directly, or through a UI?
Could you add your identity schema? Feel free to send it to me via email (jonas.hungershausen(at)ory.sh) or on the community slack (Jonas (Ory)) via DM.
How are you creating the user? Through the admin API or via the self-service registration flow?

Thank you!

May 12 '23 06:05 jonas-jonas

We are using Orys self service flows for everything we do. We are building a react-native app, that we use on Android, iOS and the Web (via react-native web). The e2e test I was talking about is written in Playwright and automates a web browser. I will send you our Schema via Slack.

We start a registration flow by calling: http://localhost:3000/api/.ory/self-service/registration/browser

Then we post to: http://localhost:3000/api/.ory/self-service/registration?flow=7baa16f3-39be-4fbd-9f4a-7e3ec2a64e91 { "session": { "id": ".......", "active": true, "expires_at": "2023-05-26T07:37:35.307911573Z", "authenticated_at": "2023-05-12T07:37:35.393702275Z", "authenticator_assurance_level": "aal1", "authentication_methods": [ { "method": "password", "aal": "aal1", "completed_at": "2023-05-12T07:37:35.308022103Z" } ], "issued_at": "2023-05-12T07:37:35.307911573Z", "identity": { "id": "70e74354-17e2-4f5b-88a7-62e2aa26c154", "schema_id": ".......", "schema_url": "/api/.ory/schemas/.....", "state": "active", "state_changed_at": "2023-05-12T07:37:35.266789967Z", "traits": { "email": "[email protected]" }, "verifiable_addresses": [ { "id": "9c76e687-0657-4611-9be6-8a04361dbc0f", "value": "[email protected]", "verified": false, "via": "email", "status": "sent", "created_at": "2023-05-12T07:37:35.276285Z", "updated_at": "2023-05-12T07:37:35.276285Z" } ], "recovery_addresses": [ { "id": "cc4d7859-6a4c-4ef1-be12-fc42f5299d7d", "value": "[email protected]", "via": "email", "created_at": "2023-05-12T07:37:35.282019Z", "updated_at": "2023-05-12T07:37:35.282019Z" } ], "metadata_public": null, "created_at": "2023-05-12T07:37:35.270219Z", "updated_at": "2023-05-12T07:37:35.270219Z" }, "devices": [ { "id": "........", "ip_address": "........", "user_agent": "........", "location": "........." } ] }, "identity": { "id": "70e74354-17e2-4f5b-88a7-62e2aa26c154", "schema_id": ".....", "schema_url": "/api/.ory/schemas/......", "state": "active", "state_changed_at": "2023-05-12T07:37:35.266789967Z", "traits": { "email": "[email protected]" }, "verifiable_addresses": [ { "id": "9c76e687-0657-4611-9be6-8a04361dbc0f", "value": "[email protected]", "verified": false, "via": "email", "status": "sent", "created_at": "2023-05-12T07:37:35.276285Z", "updated_at": "2023-05-12T07:37:35.276285Z" } ], "recovery_addresses": [ { "id": "cc4d7859-6a4c-4ef1-be12-fc42f5299d7d", "value": "[email protected]", "via": "email", "created_at": "2023-05-12T07:37:35.282019Z", "updated_at": "2023-05-12T07:37:35.282019Z" } ], "metadata_public": null, "created_at": "2023-05-12T07:37:35.270219Z", "updated_at": "2023-05-12T07:37:35.270219Z" }, "continue_with": [ { "action": "show_verification_ui", "flow": { "id": "27560cd7-7411-445f-9c3c-38c9d0814c31", "verifiable_address": "[email protected]", "url": "/ui/verification?flow=27560cd7-7411-445f-9c3c-38c9d0814c31" } } ] }

May 12 '23 07:05 finsterwalder