Hi everyone, I am trying to implement the recovery flow, but I am stuck with a few things. 1. The flow has 3 ‘states’. I am a bit confused why the actual reset of the password is not part of the flow, I felt like recovering the account should not be fulfilled until they do reset their password, since if it is not done in that privileged session, they won’t have access again. (I know it kinda sounds like an edge case, but I was just wondering why the flow was implemented like this.) 2. As I am trying to do this with the code method, I am wondering how I should complete the flow. As I need the flowID to call the ‘Complete Recovery Flow API’, and I have no access to it. (The flow would be done in two steps, one request that creates the flow and sends out the email, and the second is when the custom link is clicked, which would trigger the API. Currently I do not see, how this would be possible, but I might be missing something. 3. If the approach I am trying to take is ‘wrong’ or it doesn’t match your expectation of how it should work, could you please provide a possible solution? Thanks in advance, and let me know if something is unclear regarding my problem/questions. 🙂

Hi! 🙂 1: We are re-using the settings flow here, because there are multiple first factors that users need to be able to reset here, all of which can be managed from the settings flow. 2. The recovery using code does not support “linking” to the code form, as that would open users up to CSRF attacks. By containing the flow in two steps but inside the same browser tab/window, we can make sure that the whole thing is protected against CSRF. So, in your application, you would just show the code input immediately after the user submitted their email address. 3. see 2.

Thanks for the answer, I will follow-up on this if progress was made. 🙂