You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue: Despite setting the state of an identity to inactive in Ory Kratos, a recovery email is erroneously sent after submitting the form on the recovery page using the username/email address associated with the deactivated identity.
Expected Behavior: No recovery code / link should be generated and sent to the email address of the identity. Instead, either no email should be sent at all, or alternatively, as with unknown accounts, a special email should be sent.
Impact: Since the identity is deactivated, attempting to use the recovery link / code results in an error. In addition, sending an email with a recovery code / link is unnecessary and only leads to confusion.
If you confirm that this issue qualifies as a bug, I'm willing to fix it. However, please advise if there are any specific considerations to bear in mind, such as whether no email should be dispatched altogether, if an email akin to the one sent to unknown email addresses would be preferable, or if it should be configurable whether an email should be sent.
Reproducing the bug
Steps to reproduce:
Start Ory Kratos including Kratos Selfservice UI node
Go to the recovery page and enter the username / email address of the identity
Is: An email with a recovery code / link should now be sent although the identity is deactivated. Using the code or link will of course cause an error.
Should be: No code / link should be generated and therefore no email should be sent to the identity.
Relevant log output
No response
Relevant configuration
No response
Version
1.1.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
Docker Compose
Additional Context
No response
The text was updated successfully, but these errors were encountered:
I can replicate this behaviour and I agree it would be better if there was no recovery email being sent at all when the identity is inactive.
Out of curiosity, how do you use the inactive state in your use case?
Preflight checklist
Ory Network Project
No response
Describe the bug
Issue: Despite setting the state of an identity to
inactive
in Ory Kratos, a recovery email is erroneously sent after submitting the form on the recovery page using the username/email address associated with the deactivated identity.Expected Behavior: No recovery code / link should be generated and sent to the email address of the identity. Instead, either no email should be sent at all, or alternatively, as with unknown accounts, a special email should be sent.
Impact: Since the identity is deactivated, attempting to use the recovery link / code results in an error. In addition, sending an email with a recovery code / link is unnecessary and only leads to confusion.
If you confirm that this issue qualifies as a bug, I'm willing to fix it. However, please advise if there are any specific considerations to bear in mind, such as whether no email should be dispatched altogether, if an email akin to the one sent to unknown email addresses would be preferable, or if it should be configurable whether an email should be sent.
Reproducing the bug
Steps to reproduce:
inactive
:Relevant log output
No response
Relevant configuration
No response
Version
1.1.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
Docker Compose
Additional Context
No response
The text was updated successfully, but these errors were encountered: