<@U04UQ68083H> can a user's password hash be acces...
# ory-copilot
s
@chilly-king-10285 can a user's password hash be accessed in the settings webhook?
c
A message from kapa.ai
No, a user's password hash cannot be accessed in the settings webhook. The settings webhook in Ory Kratos is used for triggering custom logic after a user has updated their settings, such as revoking active sessions after a password change. However, it does not provide access to sensitive information like password hashes. For security reasons, password hashes are typically not exposed through webhooks or APIs. In Ory Kratos, password hashes can be imported when creating or updating an identity, but they are not retrievable through the API or webhooks. For more information, you can refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/session-management/revoke-sessions-hook) on session management and settings webhooks.
s
I want to detect when a user has changed their password, what's the best way to do that?
@chilly-king-10285 I want to detect when a user has changed their password, what's the best way to do that?
c
A message from kapa.ai
The best way to detect when a user has changed their password in Ory Kratos is to use the
after
settings hook. You can add the
revoke_active_sessions
action to the
hooks
configuration in the settings flow. This action will be triggered when a user successfully changes their account settings, including their password. Here is an example of how to configure this in your
config.yml
file:
Copy code
yaml selfservice:     flows:       settings:         after:           password:             hooks:               - hook: revoke_active_sessions
This configuration will revoke all active sessions of a user after they change their password, effectively logging them out of all devices. This is a common security measure to ensure that any old sessions, potentially in the hands of malicious actors, are invalidated when the password is changed. For more information, you can refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/session-management/revoke-sessions-hook) on session management and settings hooks.
s
@chilly-king-10285 but I don't want to revoke their active sessions, I want to know when they've changed their password so I can send an email to a user notifying them that their password has been changed.
c
A message from kapa.ai
To send an email to a user notifying them that their password has been changed, you can use the
after
settings hook in Ory Kratos to trigger a custom action. This custom action could be a webhook that sends an email to the user. However, the specific implementation of this custom action is not detailed in the provided knowledge sources. You would need to create a custom hook that sends an email when triggered. Here is an example of how you might configure this in your
config.yml
file:
Copy code
yaml selfservice:     flows:       settings:         after:           password:             hooks:               - hook: custom_email_hook
In this example,
custom_email_hook
would be a custom hook you've created that sends an email to the user when their password is changed. For more information on how to create and configure hooks in Ory Kratos, you can refer to the [Ory Kratos documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions) on hooks.