To ensure that only users with a verified email address can create an account, you can use Ory's

require_verified_address

action. This action requires users to have a verified email address before they are able to sign in to the application. Here are the steps to enable this feature: 1. Sign in to Ory Console and select [Verification Settings](https://console.ory.sh/projects/current/verification). 2. Toggle Require Verified Address for Login. 3. Click Save. Alternatively, you can use the Ory CLI to enable this feature: 1. Download the Ory Identities config from your project and save it to a file:

bash ## List all available projects   ory list projects      ## Get config   ory get identity-config {project-id} --format yaml > identity-config.yaml

2. Add the configuration for the verification flow

bash selfservice:     flows:     login:   + after:   + hooks:   + - hook: require_verified_address

3. Update the Ory Identities configuration using the file you worked with:

bash ory update identity-config {project-id} --file updated_config.yaml

For more information, see the [hooks configuration](https://www.ory.sh/docs/kratos/hooks/configure-hooks) documentation. Please note that Ory doesn't recommend requiring a verified email to sign in. If you want to encourage users to verify their addresses, show a banner and limit functionality for unverified accounts. This approach helps improve signup conversion[^1^]. [^1^]: (https://www.ory.sh/docs/identities/sign-in/actions#allow-login-only-with-verified-email)

In a self-hosted Ory Kratos setup, you can enforce email verification during the registration process by using the

before

hook in the registration flow. This hook can be used to check if the user's email is verified before completing the registration process. However, it's important to note that Ory Kratos does not natively support multi-tenancy. This means that each instance of Ory Kratos can only manage a single tenant or user base. If you need multi-tenancy, you would have to use the Ory Cloud platform[^1^]. Unfortunately, the exact code or configuration to enforce email verification during registration in a self-hosted setup is not provided in the knowledge sources provided. For more detailed guidance, you may want to refer to the Ory Kratos documentation or seek support from the Ory community[^2^]. [^1^]: (https://www.ory.sh/docs/kratos/guides/multi-tenancy-multitenant) [^2^]: (https://www.ory.sh/support/)

To enforce email verification during the account creation process in a self-hosted Ory Kratos setup, you need to configure your identity schema and verification flow accordingly. Here are the steps: 1. Your identity schema must have an email in its traits. Add the following to your identity schema:

json {  "<http://ory.sh/kratos|ory.sh/kratos>": {  "verification": {  "via": "email"  }  } }

For example, your identity schema could look like this:

json {   "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",   "$schema": "<http://json-schema.org/draft-07/schema#>",   "title": "Person",   "type": "object",   "properties": {   "traits": {   "type": "object",   "properties": {   "email": {   "type": "string",   "format": "email",   "title": "E-Mail",   "minLength": 3,   "<http://ory.sh/kratos|ory.sh/kratos>": {   "verification": {   "via": "email"   }   }   }   }   }   } }

2. Configure the courier SMTP connection in your config file to enable sending out a recovery link to an email address:

yaml # Ory Identities   courier:    smtp:    connection_uri: <smtps://username:password@smtp-server:1234/>

3. Enable verification in your config file:

yaml selfservice:    flows:    verification:    enabled: true    ui_url: <http://127.0.0.1:4455/verification>

4. To allow only the users with a verified email to sign in, add the following to your config file:

yaml selfservice:     flows:     login:     after:     hooks:     - hook: require_verified_address

5. Update the Ory Identities configuration using the file you worked with:

bash ory update identity-config {project-id} --file updated_config.yaml

Please note that the exact command may vary depending on your setup[^1^][^2^][^3^][^4^]. [^1^]: (https://www.ory.sh/docs/kratos/self-hosted/account-activation-email-verification) [^2^]: (https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#allow-login-only-with-verified-email) [^3^]: (https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#identity-schema) [^4^]: (https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation#configuration)

In a self-hosted Ory Kratos setup, you can customize the email templates for various flows including password recovery. Here's how you can do it: 1. Create your custom email template. This could be in HTML or plaintext format. 2. Encode your custom template to base64. You can use the following command:

bash echo "Your custom template" | base64

or use an online tool like [base64encode.org](https://www.base64encode.org/). 3. Add your Base64-encoded custom message templates to the config file. Make sure to add

base64://

before the encoded template. Here's an example of how to add it to the recovery email body:

yaml courier:    smtp:    from_name: MyProject via Ory    templates:    recovery:    valid:    email:    body:    html: "<base64://ENCODED_HTML_TEMPLATE>"    plaintext: "<base64://ENCODED_PLAINTEXT_TEMPLATE>"

4. Save the changes to your config file. Please note that in the Ory Network, you can use only Base64-encoded templates.

http://

or

file://

URIs are not supported. If you provide custom templates using unsupported methods, the system uses the default templates[^1^]. [^1^]: (https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#using-custom-message-templates)

In the context of Ory Kratos,

valid

and

invalid

are used to differentiate between successful and unsuccessful attempts in various flows such as recovery and verification. - `valid`: This refers to a successful attempt. For example, in the recovery flow,

recovery.valid

refers to a successful recovery attempt where the user has provided a valid recovery code or link. - `invalid`: This refers to an unsuccessful attempt. For example,

recovery.invalid

refers to an unsuccessful recovery attempt where the user has provided an invalid recovery code or link. These terms are used to select the appropriate email templates to be sent to the user. For instance, if a user attempts to recover their account and the attempt is successful (

valid

), the

recovery.valid

email template is used. If the attempt is unsuccessful (

invalid

), the

recovery.invalid

email template is used[^1^][^2^]. [^1^]: (https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#available-variables) [^2^]: (https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#built-in-templates)

The error message "additionalProperties 'templates' not allowed" suggests that the

templates

property is not recognized in the location where it's currently placed in your configuration file. This could be due to a misplacement or incorrect nesting of the

templates

property. In the context of custom email templates in Ory Kratos, the

templates

property should be nested under the

courier

property in your configuration file. Here's an example of how it should look:

yaml courier:    template_override_path: /conf/courier-template    templates:    verification:    valid:    email:    body:    html: <https://some-remote-resource/gotmpl>    plaintext: <base64://SGV5IHlvdSBkZWNvZGVkIG1lIDop>    subject: <file://some-file/subject.gotmpl>

Please ensure that your

templates

property is correctly placed in your configuration file[^1^]. [^1^]: (https://www.ory.sh/docs/kratos/self-hosted/mail-courier-templates#configuration)

@chilly-king-10285 if i use base64, do i still need to same .gotmpl somewhere?

No, if you use base64 encoding for your custom email templates, you do not need to save the

.gotmpl

files somewhere else. The base64 encoded string is a representation of your entire template content, so it includes everything that Ory Kratos needs to generate the email. When you provide the base64 encoded string in your configuration, Ory Kratos will automatically decode the string and use the resulting content as the email template[^1^][^2^]. [^1^]: (https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#using-custom-message-templates) [^2^]: (https://www.ory.sh/docs/guides/gitops#openid-connect-claims-and-ory-actions-payload)

If Ory Kratos is still sending the default email template instead of your custom one, there could be a few reasons for this: 1. Incorrect Configuration: Ensure that your configuration file correctly references your custom template. The

templates

property should be nested under the

courier

property, and the base64-encoded template should be correctly placed under the appropriate flow (e.g.,

recovery

,

verification

), status (

valid

,

invalid

), and format (

email

,

body

,

html

,

plaintext

). 2. Incorrect Base64 Encoding: Ensure that your custom template is correctly encoded in base64 and that the encoded string is correctly placed in your configuration file. Remember to add

base64://

before the encoded template. 3. Configuration Not Applied: Ensure that you have correctly updated your Ory Kratos configuration with the new settings. If you're using the Ory CLI, you would use a command like

ory update identity-config <project-id> --file updated_config.yaml

. 4. Unsupported Methods: In the Ory Network, only Base64-encoded templates are supported. If you're providing custom templates using unsupported methods (

http://

or

file://

URIs), the system will default to using the built-in templates. If you've checked all of these and are still having issues, you may want to seek further support from the Ory community[^1^]. [^1^]: (https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#using-custom-message-templates)

To reset your database for a self-hosted Ory Kratos setup with PostgreSQL, you can follow these steps: 1. Connect to your PostgreSQL database. You can do this by running the following command:

bash sudo -i -u postgres

2. Once you're connected to PostgreSQL, you can drop the existing database. In this case, the database name is `kratos`:

bash dropdb kratos

3. After dropping the database, you can create a new one with the same name:

bash createdb kratos

4. Now, you need to apply the migrations again. You can do this by running the following command:

bash /opt/kratos/bin/kratos -c /opt/kratos/config/kratos.yml migrate sql -y <postgres://kratos:[email> protected]:5432/kratos?sslmode=disable

Please replace

[email protected]

with your actual database credentials. This will reset your database and remove all existing identities and related data[^1^]. [^1^]: (https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-postgresql)

The error message "ERROR: column 'channel' of relation 'courier_messages' does not exist" suggests that the database schema for your Ory Kratos setup is missing the 'channel' column in the 'courier_messages' table. This could be due to a few reasons: 1. Incomplete or Failed Migration: The database migrations might not have been fully applied. You can try re-running the migrations using the following command:

bash kratos migrate sql -e --yes

2. Outdated Version: You might be using an outdated version of Ory Kratos. Ensure that you're using the latest version of Ory Kratos and that your database schema is up-to-date with the version you're using. 3. Custom Modifications: If you've made any custom modifications to the database schema, ensure that these modifications have not removed or renamed the 'channel' column in the 'courier_messages' table. If you've checked all of these and are still having issues, you may want to seek further support from the Ory community[^1^]. [^1^]: (https://www.ory.sh/docs/kratos/quickstart)

The error message "ERROR: permission denied to create extension 'pg_trgm'" suggests that the database user you're using doesn't have the necessary permissions to create extensions in the PostgreSQL database. To resolve this issue, you need to grant the necessary permissions to your database user. Here's how you can do it: 1. Connect to your PostgreSQL database as a superuser. You can do this by running the following command:

bash sudo -i -u postgres

2. Once you're connected to PostgreSQL, switch to the PostgreSQL prompt:

bash psql

3. Grant the necessary permissions to your database user. In this case, the database user is `kratos`:

bash ALTER USER kratos CREATEDB;

4. Exit the PostgreSQL prompt:

bash \q

5. Now, you should be able to create the extension with the

kratos

user:

bash psql -d kratos -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;"

Please replace

kratos

with your actual database user name. This will grant the necessary permissions to your database user to create extensions[^1^]. [^1^]: (https://www.postgresql.org/docs/9.1/sql-alteruser.html)

The error message "ERROR: permission denied to create extension 'pg_trgm'" suggests that the database user you're using doesn't have the necessary permissions to create extensions in the PostgreSQL database. To resolve this issue, you need to grant the necessary permissions to your database user. Here's how you can do it: 1. Connect to your PostgreSQL database as a superuser. You can do this by running the following command:

bash sudo -i -u postgres

2. Once you're connected to PostgreSQL, switch to the PostgreSQL prompt:

bash psql

3. Grant the necessary permissions to your database user. In this case, the database user is `kratos`:

bash ALTER USER kratos CREATEDB;

4. Exit the PostgreSQL prompt:

bash \q

5. Now, you should be able to create the extension with the

kratos

user:

bash psql -d kratos -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;"

Please replace

kratos

with your actual database user name. This will grant the necessary permissions to your database user to create extensions[^1^]. [^1^]: (https://www.postgresql.org/docs/9.1/sql-alteruser.html)

When making requests from your React frontend to your Django backend, you need to ensure that you're including cookies with your AJAX requests. By default, AJAX doesn't send cookies, so you need to set

withCredentials: true

in your requests. Here's an example of how to do this with the

fetch

function:

javascript fetch("<https://ory.your-custom-domain.com/>", {    credentials: "include",   })

And here's how to do it with the Ory SDK:

javascript import { FrontendApi, Configuration } from "@ory/client"      const ory = new FrontendApi(    new Configuration({    basePath,    baseOptions: {    // Ensures we send cookies in the CORS requests.    withCredentials: true,    },    }),   )

Please replace

"<https://ory.your-custom-domain.com/>"

and

basePath

with your actual Ory domain. Also, ensure that your Django backend is configured to accept credentials from your frontend domain. You can do this by setting the

CORS_ORIGIN_ALLOW_ALL

and

CORS_ALLOW_CREDENTIALS

settings in your Django settings:

python CORS_ORIGIN_ALLOW_ALL = False CORS_ALLOW_CREDENTIALS = True CORS_ORIGIN_WHITELIST = [     "<http://localhost:3000>",  # Replace with your frontend domain ]

Please replace

"<http://localhost:3000>"

with your actual frontend domain[^1^][^2^][^3^][^4^][^5^]. [^1^]: (https://www.ory.sh/docs/troubleshooting/csrf#accessing-apis-from-client-side-javascript--ajax) [^2^]: (https://www.ory.sh/docs/security-model#same-top-level-domain) [^3^]: (https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks) [^4^]: (https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie) [^5^]: (https://www.ory.sh/docs/getting-started/integrate-auth/vue#check-for-session-in-component)

Yes, you can change the SameSite attribute of Ory Kratos' cookies from

Lax

to

None

. This can be done by modifying the

same_site

configuration key in your Ory Kratos configuration file. Here's an example of how to do this:

yaml session:    cookie:    same_site: None

Please note that when you set

SameSite

to

None

, you must also ensure that your cookies are

Secure

. This is because, according to the new cookie policies implemented by browsers, cookies with

SameSite=None

must also be

Secure

. In Ory Kratos, you can ensure this by not using the

--dev

flag, as the

Secure

flag is enabled by default unless the

--dev

flag is set[^1^][^2^][^3^]. [^1^]: (https://www.ory.sh/docs/kratos/guides/configuring-cookies#session-cookies) [^2^]: (https://www.ory.sh/docs/kratos/debug/csrf#samesite-attribute) [^3^]: (https://www.ory.sh/docs/kratos/guides/multi-domain-cookies#cookies)

No, you cannot change the

HttpOnly

attribute of the session cookie to

false

in Ory Kratos. The

HttpOnly

flag is set to

true

by default and cannot be modified. This is a security measure to protect the session cookie from being accessed by client-side JavaScript, which helps to mitigate certain types of cross-site scripting (XSS) attacks[^1^]. [^1^]: (https://www.ory.sh/docs/troubleshooting/csrf#accessing-cookies-from-client-side-javascript)

To connect your local PostgreSQL database with a Dockerized Ory Kratos on your localhost, you need to update the

dsn

(Data Source Name) configuration in your Ory Kratos configuration file. Here's how you can do it: 1. Open your Ory Kratos configuration file (

kratos.yml

). 2. Find the

dsn

key and change its value to point to your local PostgreSQL database. The format should be like this:

yaml dsn: postgres://<username>:<password>@localhost:5432/<database_name>?sslmode=disable&max_conns=20&max_idle_conns=4

Please replace

<username>

,

<password>

, and

<database_name>

with your actual PostgreSQL username, password, and database name. 3. Save the changes to your configuration file. 4. Run your Dockerized Ory Kratos with the updated configuration file. Please note that this assumes that your PostgreSQL server is running on the default port (5432) and that SSL is disabled. You might need to adjust these settings based on your actual PostgreSQL configuration[^1^][^2^]. [^1^]: (https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-ory-kratos) [^2^]: (https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-postgresql)

Sorry @lemon-student-13425, I seem to be having a bit of trouble. Don't worry though, I've pinged my support folks and they will try to fix me up! 🧑‍💻 Perhaps try again in 5mins?