Hey I m trying to create a recovery flow to reset a password Ory Community #general

Hey! I'm trying to create a 'recovery' flow to res...

stale-dress-83211

07/31/2024, 2:28 PM

Hey! I'm trying to create a 'recovery' flow to reset a password of one of our accounts. I'm doing this directly in Unity using WebRequests (they basically provide POST/GET/DELETE... methods with custom upload body data and headers). My problem is that I always get the error: The recovery code is invalid or has already been used. Please try again. These are my steps: 1. I create a flow id by sending a GET request to 'ory-service-url.../self-service/recovery/api' (This will generate a flow Id that I will use to send a recovery code to email) 2. Create a POST request using the recovery flow id to 'ory-service-url.../self-service/recovery?flow={the received flow id}' and I upload an email to send the recovery code to and set the method to 'code' in the body. 3. After all of that (using still the same flow id), I create a POST request to 'ory-service-url.../self-service/recovery?flow={the stored flow id}' and I upload the entered code to the 'recovery_code' field, new password value to 'password' field and set the method to 'code' in the body. Also important to note that I'm always setting the header 'Content-Type' to 'application/json'. Any idea why I always get the 'The recovery code is invalid or has already been used. Please try again' message after getting a response after the step 3? All I would like to achieve is to do the 'password change' directly in the native app (in the game) and not to redirect the user to an external link in a browser. Is this even possible? Thanks in advance!

steep-lamp-91158

07/31/2024, 3:01 PM

what's the difference between 2 and 3?

steep-lamp-91158

07/31/2024, 3:01 PM

isn't 2 already submitting the code and therefore invalidating it?

stale-dress-83211

07/31/2024, 3:03 PM

The 2nd step sends the code to the user's email address. The third step creates a new password if the entered code that the user received on email is correct and the new password is in a correct format. Or is this approach misunderstood from my side?

steep-lamp-91158

07/31/2024, 3:45 PM

have you seen this introduction guide? https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration I don't quite get your setup, what is happening client-side and what is happening on your server? what is the difference between the two post requests in step 2 and 3?

stale-dress-83211

07/31/2024, 4:02 PM

Hey @steep-lamp-91158 , thanks. I have seen this APi. However what I would like to achieve is to directly change the user's password in the app without redirecting the user to the external website in browser. So what I understand from the docs - I need to create a recovery flow, get the id, then submit a recovery flow with the generated flow id, entered users email and a 'code' method (because I want to do the password reset with code, not a link). I'll receive the code in my email inbox. Now I want to enter this code inside my app and enter a new password; and somehow submit this recovery flow again with the received code? Not really sure about this now.

steep-lamp-91158

07/31/2024, 4:07 PM

OK so what you have to do are these steps. The UI does not have to present all of this to the user but can submit something automatically as well if applicable. 1. create recovery flow 2. submit the flow with the email address 3. submit the flow with the code that the user inputs 4. continue with the settings flow that gets created automatically 5. submit the settings flow with the new password

steep-lamp-91158

07/31/2024, 4:07 PM

there are some code samples here: https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#code-examples

stale-dress-83211

07/31/2024, 4:09 PM

Hmm so should I somehow manage to get to the setting flow? https://www.ory.sh/docs/reference/api#tag/frontend/operation/updateSettingsFlow

steep-lamp-91158

07/31/2024, 4:10 PM

you will either be redirected to the settings flow or get a

continue_with

field in the response on success

steep-lamp-91158

07/31/2024, 4:11 PM

there is a setting to control this: https://console.ory.sh/projects/current/settings/advanced

steep-lamp-91158

07/31/2024, 4:11 PM

the "Native Recovery flows" toggle

stale-dress-83211

07/31/2024, 4:12 PM

Thanks Patrik for your time! I will give it a try

stale-dress-83211

08/01/2024, 8:18 AM

Hey @steep-lamp-91158, I've got stuck at step 3. I try to submit the received code to the existing recovery flow with POST on '...self-service/recovery?flow={recoveryFlowId}' and upload a body data in json with method=code, code={the received code on user's email}, password={the new users password}. This is the body response after creating a web req:

In order to complete this flow please redirect the browser to: <https://URL.projects.oryapis.com/ui/settings?flow=f4cdb324-30a5-48f7-a4c1-ebcecbc96bbf>

However, as I mentioned, I'm not doing this through browser, but through native app (directly in Unity). Any ideas? Thanks in advance

steep-lamp-91158

08/01/2024, 8:19 AM

yes, what you need to do is submit

method=code&code=1234

without the new password in the response you get the new settings flow, you have to submit that one with the new password

steep-lamp-91158

08/01/2024, 8:20 AM

take a look at the settings flow in the docs you basically have successfully completed the recovery, and you should follow up with the settings flow where you can set new credentials (e.g. a new password)

stale-dress-83211

08/01/2024, 8:24 AM

Thanks for such quick response! So I can basically request for '...self-service/settings?flow={the flow id that I received from the recovery flow response body after delivering the received code}' and fill the settings flow body with new password? https://www.ory.sh/docs/reference/api#tag/frontend/operation/updateSettingsFlow

steep-lamp-91158

08/01/2024, 8:25 AM

exactly, similar to how the recovery worked

stale-dress-83211

08/01/2024, 8:26 AM

Amazing, thanks a bunch for quick replies!

stale-dress-83211

08/01/2024, 8:41 AM

Sorry to bother again, but after sending a request to '_*...self-service/settings?flow={the flow id I received from the 'redirection' response}*_' with body data 'method=password' and 'password=the new user password', I get an unauthorized response:

{"error": {"code": 401,"status": "Unauthorized","request": "2ea0be3c-f4dc-9ae1-aa6d-f8b6b841e014","reason": "A valid Ory Session Cookie or Ory Session Token is missing.","message": "The request could not be authorized"}}

I'm aware that I can receive a session token once the user is logged in, however in this case the user doesn't know the original password and wants to reset the password while not logged in. Any possible workarounds? Thanks in advance

steep-lamp-91158

08/01/2024, 8:42 AM

you should get the token after completing the recovery

stale-dress-83211

08/01/2024, 9:02 AM

I might not seeing this token in any responses from the recovery. These are all the responses that I get from the recovery flow: 1. First I create a recovery flow to get the flow id to 'self-service/recovery/api' with body 'email=my email' and 'method=code':

"id": "b1672d58-e6d7-4aa6-b2fb-3da4beb41f23",

"type": "api",

"expires_at": "2024-08-01T09:51:11.65836302Z",

"issued_at": "2024-08-01T08:51:11.65836302Z",

"request_url": "<https://URL.projects.oryapis.com/self-service/recovery/api>",

"active": "code",

"ui": {

"action": "<https://URL.projects.oryapis.com/self-service/recovery?flow=b1672d58-e6d7-4aa6-b2fb-3da4beb41f23>",

"method": "POST",

"nodes": [

"type": "input",

"group": "default",

"attributes": {

"name": "csrf_token",

"type": "hidden",

"value": "",

"required": true,

"disabled": false,

"node_type": "input"

},

"messages": [],

"meta": {}

},

"type": "input",

"group": "code",

"attributes": {

"name": "email",

"type": "email",

"required": true,

"disabled": false,

"node_type": "input"

},

"messages": [],

"meta": {

"label": {

"id": 1070007,

"text": "Email",

"type": "info"

},

"type": "input",

"group": "code",

"attributes": {

"name": "method",

"type": "submit",

"value": "code",

"disabled": false,

"node_type": "input"

},

"messages": [],

"meta": {

"label": {

"id": 1070009,

"text": "Continue",

"type": "info"

},

"state": "choose_method"

2. Then I enter the code that I receive in my inbox and send a request to 'self-service/recovery?flow={the flowid again}' with body 'code=the code' 'method=code'. Response:

{"error":{"id":"browser_location_change_required","code":422,"status":"Unprocessable Entity","reason":"In order to complete this flow please redirect the browser to: <https://URL.projects.oryapis.com/ui/settings?flow=c6a9b016-e7fa-44be-876c-751f5658d10a>","message":"browser location change required"},"redirect_browser_to":"<https://URL.projects.oryapis.com/ui/settings?flow=c6a9b016-e7fa-44be-876c-751f5658d10a>"}

3. After that I parse the 'redirect_browser_to' to get only the flow id and I send a new request to 'self-service/settings?flow={the parsed flow id from the last response'}. And then I get the error with unauthorized... I guess I'm missing something where I can get the session token? Thanks again.

stale-dress-83211

08/01/2024, 12:53 PM

Alright, so found an issue - we needed to enable the 'use_continue_with_transitions' in our config file. Now everything seems to work properly.

steep-lamp-91158

08/01/2024, 1:29 PM

yes, exactly that one, forgot to follow up on that

✅ 1

25 Views

Open in Slack

Previous Next