fix: incorrect append of code credential identifier (#4102)

Closes #4076
ory · Sep 16, 2024 · 3215792 · 3215792
1 parent 192f10f
commit 3215792
Show file tree

Hide file tree

Showing 6 changed files with 113 additions and 64 deletions.
diff --git a/identity/.snapshots/TestSchemaExtensionCredentials-case=12.json b/identity/.snapshots/TestSchemaExtensionCredentials-case=12.json
@@ -0,0 +1,22 @@
+{
+  "type": "code",
+  "config": {
+    "addresses": [
+      {
+        "channel": "sms",
+        "address": "+4917667111638"
+      },
+      {
+        "channel": "email",
+        "address": "[email protected]"
+      },
+      {
+        "channel": "email",
+        "address": "[email protected]"
+      }
+    ]
+  },
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/identity/extension_credentials.go b/identity/extension_credentials.go
@@ -22,9 +22,10 @@ import (
 )
 
 type SchemaExtensionCredentials struct {
-	i *Identity
-	v map[CredentialsType][]string
-	l sync.Mutex
+	i         *Identity
+	v         map[CredentialsType][]string
+	addresses []CredentialsCodeAddress
+	l         sync.Mutex
 }
 
 func NewSchemaExtensionCredentials(i *Identity) *SchemaExtensionCredentials {
@@ -79,17 +80,7 @@ func (r *SchemaExtensionCredentials) Run(ctx jsonschema.ValidationContext, s sch
 		})
 
 		var conf CredentialsCode
-		if len(cred.Config) > 0 {
-			// Only decode the config if it is not empty.
-			if err := json.Unmarshal(cred.Config, &conf); err != nil {
-				return &jsonschema.ValidationError{Message: "unable to unmarshal identity credentials"}
-			}
-		}
-
-		if conf.Addresses == nil {
-			conf.Addresses = []CredentialsCodeAddress{}
-		}
-
+		conf.Addresses = r.addresses
 		value, err := x.NormalizeIdentifier(fmt.Sprintf("%s", value), string(via))
 		if err != nil {
 			return &jsonschema.ValidationError{Message: err.Error()}
@@ -120,6 +111,7 @@ func (r *SchemaExtensionCredentials) Run(ctx jsonschema.ValidationContext, s sch
 				return item.Address
 			})...,
 		))
+		r.addresses = conf.Addresses
 
 		cred.Identifiers = r.v[CredentialsTypeCodeAuth]
 		cred.Config, err = json.Marshal(conf)

diff --git a/identity/extension_credentials_test.go b/identity/extension_credentials_test.go
@@ -9,6 +9,8 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/ory/x/sqlxx"
+
 	"github.com/ory/x/snapshotx"
 
 	"github.com/ory/jsonschema/v3"
@@ -25,103 +27,117 @@ var ctx = context.Background()
 
 func TestSchemaExtensionCredentials(t *testing.T) {
 	for k, tc := range []struct {
-		expectErr error
-		schema    string
-		doc       string
-		expect    []string
-		existing  *identity.Credentials
-		ct        identity.CredentialsType
+		expectErr           error
+		schema              string
+		doc                 string
+		expectedIdentifiers []string
+		existing            *identity.Credentials
+		ct                  identity.CredentialsType
 	}{
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/schema.json",
-			expect: []string{"[email protected]"},
-			ct:     identity.CredentialsTypePassword,
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
+			ct:                  identity.CredentialsTypePassword,
 		},
 		{
-			doc:    `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
-			schema: "file://./stub/extension/credentials/multi.schema.json",
-			expect: []string{"[email protected]", "[email protected]", "foobar"},
-			ct:     identity.CredentialsTypePassword,
+			doc:                 `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
+			schema:              "file://./stub/extension/credentials/multi.schema.json",
+			expectedIdentifiers: []string{"[email protected]", "[email protected]", "foobar"},
+			ct:                  identity.CredentialsTypePassword,
 		},
 		{
-			doc:    `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
-			schema: "file://./stub/extension/credentials/multi.schema.json",
-			expect: []string{"[email protected]", "[email protected]"},
-			ct:     identity.CredentialsTypeWebAuthn,
+			doc:                 `{"emails":["[email protected]","[email protected]","[email protected]"], "username": "foobar"}`,
+			schema:              "file://./stub/extension/credentials/multi.schema.json",
+			expectedIdentifiers: []string{"[email protected]", "[email protected]"},
+			ct:                  identity.CredentialsTypeWebAuthn,
 		},
 		{
-			doc:    `{"emails":["[email protected]","[email protected]"], "username": "foobar"}`,
-			schema: "file://./stub/extension/credentials/multi.schema.json",
-			expect: []string{"[email protected]", "[email protected]", "foobar"},
+			doc:                 `{"emails":["[email protected]","[email protected]"], "username": "foobar"}`,
+			schema:              "file://./stub/extension/credentials/multi.schema.json",
+			expectedIdentifiers: []string{"[email protected]", "[email protected]", "foobar"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]"},
 			},
 			ct: identity.CredentialsTypePassword,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/webauthn.schema.json",
-			expect: []string{"[email protected]"},
-			ct:     identity.CredentialsTypeWebAuthn,
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/webauthn.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
+			ct:                  identity.CredentialsTypeWebAuthn,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/webauthn.schema.json",
-			expect: []string{"[email protected]"},
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/webauthn.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]"},
 			},
 			ct: identity.CredentialsTypeWebAuthn,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/code.schema.json",
-			expect: []string{"[email protected]"},
-			ct:     identity.CredentialsTypeCodeAuth,
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/code.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
+			ct:                  identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/code.schema.json",
-			expect: []string{"[email protected]"},
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/code.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]"},
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]"}`,
-			schema: "file://./stub/extension/credentials/code.schema.json",
-			expect: []string{"[email protected]"},
+			doc:                 `{"email":"[email protected]"}`,
+			schema:              "file://./stub/extension/credentials/code.schema.json",
+			expectedIdentifiers: []string{"[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
-			schema: "file://./stub/extension/credentials/code-phone-email.schema.json",
-			expect: []string{"+4917667111638", "[email protected]"},
+			doc:                 `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
-			schema: "file://./stub/extension/credentials/code-phone-email.schema.json",
-			expect: []string{"+4917667111638", "[email protected]"},
+			doc:                 `{"email":"[email protected]","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "[email protected]"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
+			},
+			ct: identity.CredentialsTypeCodeAuth,
+		},
+		{
+			doc:                 `{"email":"[email protected]","email2":"[email protected]","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "[email protected]"},
+			existing: &identity.Credentials{
+				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
 		{
-			doc:    `{"email":"[email protected]","email2":"[email protected]","phone":"+49 176 671 11 638"}`,
-			schema: "file://./stub/extension/credentials/code-phone-email.schema.json",
-			expect: []string{"+4917667111638", "[email protected]"},
+			doc:                 `{"email":"[email protected]","email2":"FOO@ory.sh","email3":"bar@ory.sh","phone":"+49 176 671 11 638"}`,
+			schema:              "file://./stub/extension/credentials/code-phone-email.schema.json",
+			expectedIdentifiers: []string{"+4917667111638", "foo@ory.sh", "bar@ory.sh"},
 			existing: &identity.Credentials{
 				Identifiers: []string{"[email protected]", "[email protected]"},
+				Config:      sqlxx.JSONRawMessage(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
 			},
 			ct: identity.CredentialsTypeCodeAuth,
 		},
@@ -148,7 +164,7 @@ func TestSchemaExtensionCredentials(t *testing.T) {
 
 			credentials, ok := i.GetCredentials(tc.ct)
 			require.True(t, ok)
-			assert.ElementsMatch(t, tc.expect, credentials.Identifiers)
+			assert.ElementsMatch(t, tc.expectedIdentifiers, credentials.Identifiers)
 			snapshotx.SnapshotT(t, credentials, snapshotx.ExceptPaths("identifiers"))
 		})
 	}

diff --git a/identity/handler_test.go b/identity/handler_test.go
@@ -762,9 +762,9 @@ func TestHandler(t *testing.T) {
 		t.Run("case=fails all on a bad identity", func(t *testing.T) {
 			// Test setup: we have a list of valid identitiy patches and a list of invalid ones.
 			// Each run adds one invalid patch to the list and sends it to the server.
-			// --> we expect the server to fail all patches in the list.
+			// --> we expectedIdentifiers the server to fail all patches in the list.
 			// Finally, we send just the valid patches
-			// --> we expect the server to succeed all patches in the list.
+			// --> we expectedIdentifiers the server to succeed all patches in the list.
 			validPatches := []*identity.BatchIdentityPatch{
 				{Create: validCreateIdentityBody("valid-patch", 0)},
 				{Create: validCreateIdentityBody("valid-patch", 1)},

diff --git a/identity/stub/extension/credentials/code-phone-email.schema.json b/identity/stub/extension/credentials/code-phone-email.schema.json
@@ -37,6 +37,24 @@
         }
       }
     },
+    "email3": {
+      "type": "string",
+      "format": "email",
+      "ory.sh/kratos": {
+        "credentials": {
+          "password": {
+            "identifier": true
+          },
+          "webauthn": {
+            "identifier": true
+          },
+          "code": {
+            "identifier": true,
+            "via": "email"
+          }
+        }
+      }
+    },
     "phone": {
       "type": "string",
       "format": "tel",

diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum
@@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=