Merge remote-tracking branch 'origin/master' into jonas-jonas/smsGateway

CHANGELOG.md

@@ -5,7 +5,7 @@
 
 **Table of Contents**
 
-- [ (2023-11-29)](#2023-11-29)
+- [ (2023-12-12)](#2023-12-12)
   - [Breaking Changes](#breaking-changes)
     - [Bug Fixes](#bug-fixes)
     - [Documentation](#documentation)
@@ -314,7 +314,7 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [](https://github.com/ory/kratos/compare/v1.0.0...v) (2023-11-29)
+# [](https://github.com/ory/kratos/compare/v1.0.0...v) (2023-12-12)
 
 ## Breaking Changes
 
@@ -465,6 +465,8 @@ https://github.com/ory/kratos/pull/3480
   Adds correct pagination parameters to the SDK methods for listing identities
   and sessions.
 
+- Ignore CSRF middleware on Apple OIDC callback
+  ([309c506](https://github.com/ory/kratos/commit/309c50694c11162cad070337f9b1d4e0fcdf444b))
 - Ignore more cloudflare cookies
   ([#3499](https://github.com/ory/kratos/issues/3499))
   ([f124ab5](https://github.com/ory/kratos/commit/f124ab5586781cdbfc0a0cfd11b4355bfc8a115c))
@@ -473,6 +475,9 @@ https://github.com/ory/kratos/pull/3480
 
   This also improves tracing in the OIDC strategy.
 
+- Incorrect login accept challenge
+  ([#3658](https://github.com/ory/kratos/issues/3658))
+  ([b5dede3](https://github.com/ory/kratos/commit/b5dede329247d0962688b15872a6caf027cf910f))
 - Incorrect sdk generator path
   ([#3488](https://github.com/ory/kratos/issues/3488))
   ([ed996c0](https://github.com/ory/kratos/commit/ed996c0d25e68e8a2c7de861c546f0b0e42e9e6e))
@@ -650,6 +655,9 @@ https://github.com/ory/kratos/pull/3480
 
   - test: update snapshot
 
+- Use ID label on login with multiple identifiers
+  ([#3657](https://github.com/ory/kratos/issues/3657))
+  ([be907db](https://github.com/ory/kratos/commit/be907dbbd841025fd854344b77d3368b2ff8089f))
 - Use org ID from session if available in login flow
   ([#3545](https://github.com/ory/kratos/issues/3545))
   ([1b3647c](https://github.com/ory/kratos/commit/1b3647c2acdad966f920c2b9e6e657c52aa50c6e))
@@ -844,6 +852,9 @@ https://github.com/ory/kratos/pull/3480
   This feature depends on Cockroach functionality and configuration, and is not
   possible for MySQL or PostgreSQL.
 
+- Extract identifier label for login from default identity schema
+  ([#3645](https://github.com/ory/kratos/issues/3645))
+  ([180828e](https://github.com/ory/kratos/commit/180828eb507ab239a9c6589f747a6816b6e50074))
 - Fine-grained hooks for all available flow methods
   ([#3519](https://github.com/ory/kratos/issues/3519))
   ([a37f6bd](https://github.com/ory/kratos/commit/a37f6bddc48443b2fc464699fa5c2922f64d81f6)):

identity/validator.go

@@ -35,8 +35,8 @@ func NewValidator(d validatorDependencies) *Validator {
 	return &Validator{v: schema.NewValidator(), d: d}
 }
 
-func (v *Validator) ValidateWithRunner(ctx context.Context, i *Identity, runners ...schema.Extension) error {
-	runner, err := schema.NewExtensionRunner(ctx, runners...)
+func (v *Validator) ValidateWithRunner(ctx context.Context, i *Identity, runners ...schema.ValidateExtension) error {
+	runner, err := schema.NewExtensionRunner(ctx, schema.WithValidateRunners(runners...))
 	if err != nil {
 		return err
 	}

internal/testhelpers/session.go

@@ -251,3 +251,13 @@ func (ct *TransportWithHeader) RoundTrip(req *http.Request) (*http.Response, err
 	}
 	return ct.RoundTripper.RoundTrip(req)
 }
+
+func AssertNoCSRFCookieInResponse(t *testing.T, _ *httptest.Server, _ *http.Client, r *http.Response) {
+	found := false
+	for _, c := range r.Cookies() {
+		if strings.HasPrefix(c.Name, "csrf_token") {
+			found = true
+		}
+	}
+	require.False(t, found)
+}

schema/extension.go

@@ -41,30 +41,41 @@ type (
 		Recovery struct {
 			Via string `json:"via"`
 		} `json:"recovery"`
-		Mappings struct {
-			Identity struct {
-				Traits []struct {
-					Path string `json:"path"`
-				} `json:"traits"`
-			} `json:"identity"`
-		} `json:"mappings"`
 	}
 
-	Extension interface {
+	ValidateExtension interface {
 		Run(ctx jsonschema.ValidationContext, config ExtensionConfig, value interface{}) error
 		Finish() error
 	}
+	CompileExtension interface {
+		Run(ctx jsonschema.CompilerContext, config ExtensionConfig, rawSchema map[string]interface{}) error
+	}
 
 	ExtensionRunner struct {
 		meta     *jsonschema.Schema
 		compile  func(ctx jsonschema.CompilerContext, m map[string]interface{}) (interface{}, error)
 		validate func(ctx jsonschema.ValidationContext, s interface{}, v interface{}) error
 
-		runners []Extension
+		validateRunners []ValidateExtension
+		compileRunners  []CompileExtension
 	}
+
+	ExtensionRunnerOption func(*ExtensionRunner)
 )
 
-func NewExtensionRunner(ctx context.Context, runners ...Extension) (*ExtensionRunner, error) {
+func WithValidateRunners(runners ...ValidateExtension) ExtensionRunnerOption {
+	return func(r *ExtensionRunner) {
+		r.validateRunners = append(r.validateRunners, runners...)
+	}
+}
+
+func WithCompileRunners(runners ...CompileExtension) ExtensionRunnerOption {
+	return func(r *ExtensionRunner) {
+		r.compileRunners = append(r.compileRunners, runners...)
+	}
+}
+
+func NewExtensionRunner(ctx context.Context, opts ...ExtensionRunnerOption) (*ExtensionRunner, error) {
 	var err error
 	r := new(ExtensionRunner)
 	c := jsonschema.NewCompiler()
@@ -90,6 +101,12 @@ func NewExtensionRunner(ctx context.Context, runners ...Extension) (*ExtensionRu
 				return nil, errors.WithStack(err)
 			}
 
+			for _, runner := range r.compileRunners {
+				if err := runner.Run(ctx, e, m); err != nil {
+					return nil, err
+				}
+			}
+
 			return &e, nil
 		}
 		return nil, nil
@@ -101,15 +118,18 @@ func NewExtensionRunner(ctx context.Context, runners ...Extension) (*ExtensionRu
 			return nil
 		}
 
-		for _, runner := range r.runners {
+		for _, runner := range r.validateRunners {
 			if err := runner.Run(ctx, *c, v); err != nil {
 				return err
 			}
 		}
 		return nil
 	}
 
-	r.runners = runners
+	for _, opt := range opts {
+		opt(r)
+	}
+
 	return r, nil
 }
 
@@ -126,13 +146,13 @@ func (r *ExtensionRunner) Extension() jsonschema.Extension {
 	}
 }
 
-func (r *ExtensionRunner) AddRunner(run Extension) *ExtensionRunner {
-	r.runners = append(r.runners, run)
+func (r *ExtensionRunner) AddRunner(run ValidateExtension) *ExtensionRunner {
+	r.validateRunners = append(r.validateRunners, run)
 	return r
 }
 
 func (r *ExtensionRunner) Finish() error {
-	for _, runner := range r.runners {
+	for _, runner := range r.validateRunners {
 		if err := runner.Finish(); err != nil {
 			return err
 		}

selfservice/flow/login/error_test.go

@@ -43,6 +43,8 @@ func TestHandleError(t *testing.T) {
 	conf, reg := internal.NewFastRegistryWithMocks(t)
 	public, _ := testhelpers.NewKratosServer(t, reg)
 
+	testhelpers.SetDefaultIdentitySchema(conf, "file://./stub/password.schema.json")
+
 	router := httprouter.New()
 	ts := httptest.NewServer(router)
 	t.Cleanup(ts.Close)

selfservice/flow/login/extension_identifier_label.go

@@ -0,0 +1,66 @@
+// Copyright © 2023 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package login
+
+import (
+	"context"
+
+	"github.com/ory/kratos/text"
+
+	"github.com/ory/jsonschema/v3"
+	"github.com/ory/kratos/schema"
+)
+
+type identifierLabelExtension struct {
+	identifierLabelCandidates []string
+}
+
+var _ schema.CompileExtension = new(identifierLabelExtension)
+
+func GetIdentifierLabelFromSchema(ctx context.Context, schemaURL string) (*text.Message, error) {
+	ext := &identifierLabelExtension{}
+
+	runner, err := schema.NewExtensionRunner(ctx, schema.WithCompileRunners(ext))
+	if err != nil {
+		return nil, err
+	}
+	c := jsonschema.NewCompiler()
+	runner.Register(c)
+
+	_, err = c.Compile(ctx, schemaURL)
+	if err != nil {
+		return nil, err
+	}
+	metaLabel := text.NewInfoNodeLabelID()
+	if label := ext.getLabel(); label != "" {
+		metaLabel = text.NewInfoNodeLabelGenerated(label)
+	}
+	return metaLabel, nil
+}
+
+func (i *identifierLabelExtension) Run(_ jsonschema.CompilerContext, config schema.ExtensionConfig, rawSchema map[string]interface{}) error {
+	if config.Credentials.Password.Identifier ||
+		config.Credentials.WebAuthn.Identifier ||
+		config.Credentials.TOTP.AccountName ||
+		config.Credentials.Code.Identifier {
+		if title, ok := rawSchema["title"]; ok {
+			// The jsonschema compiler validates the title to be a string, so this should always work.
+			switch t := title.(type) {
+			case string:
+				if t != "" {
+					i.identifierLabelCandidates = append(i.identifierLabelCandidates, t)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (i *identifierLabelExtension) getLabel() string {
+	if len(i.identifierLabelCandidates) != 1 {
+		// sane default is set elsewhere
+		return ""
+	}
+	return i.identifierLabelCandidates[0]
+}