https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> when I call updateRecovery flow wit...
# ory-copilot
w
@chilly-king-10285 when I call updateRecovery flow with the email. I get a 200 response with state 
sent_email
but the email i receive is the one configured for 
notify_unknown_recipients
even though the user exists in my database. What am I missing?
c
A message from kapa.ai
The 
notify_unknown_recipients
flag in your configuration might be set to 
true
. This flag, when enabled, sends an attempted recovery notification to the email address that was used in the attempt, even if the email address is not registered. This is a security measure to prevent account enumeration attacks. If you want to send recovery emails only to registered email addresses, you should set 
notify_unknown_recipients
to 
false
in your configuration. Here is how you can update it: 1. Download the Ory Identities configuration from your project and save it to a file:
Copy code
bash ## List all available workspaces   ory list workspaces      ## List all available projects   ory list projects --workspace <workspace-id>      ## Get config   ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml
2. Set 
notify_unknown_recipients
to 
false
in the 
identity-config.yaml
file:
Copy code
yaml flows:     recovery:       enabled: true       lifespan: 15m # Defines how much time the user has to complete the recovery flow in the UI. Default: 1h.       use: code # Defines which method is used, one of 'code' or 'link'.       notify_unknown_recipients: false # Defines if the system sends attempted recovery notifications to unregistered addresses.
3. Update the Ory Identities configuration using the file you worked with:
Copy code
bash ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#attempted-recovery-notifications).
w
@chilly-king-10285 should i be getting this email if the email address is registered?
c
A message from kapa.ai
No, if the email address is registered and the user exists in your database, you should not be receiving the 
notify_unknown_recipients
email. This email is typically sent when an attempt is made to initiate recovery for unregistered addresses, as a measure to prevent account enumeration attacks. If you're receiving this email for a registered address, it might indicate an issue with how the system is recognizing registered users. Ensure that the email address in the database matches exactly with the one being used for recovery, including any case sensitivity. If the issue persists, it might be worth checking the system logs for any errors or unexpected behavior during the recovery process. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#attempted-recovery-notifications).
w
@chilly-king-10285 All i see in the logs is “Account recovery was requested for an unknown address” but i can see the address in my identities table.
c
A message from kapa.ai
This issue might be related to how the recovery address is configured in your identity schema. In Ory, the recovery address is usually the email address the user provides when registering their account. However, other fields inside the 
traits
section are supported as well. Here is an example of how to specify a trait of the identity to be used for recovery:
Copy code
json {      "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",      "$schema": "<http://json-schema.org/draft-07/schema#>",      "title": "Person",      "type": "object",      "properties": {        "traits": {          "type": "object",          "properties": {            "email": {              "type": "string",              "format": "email",              "<http://ory.sh/kratos|ory.sh/kratos>": {                "credentials": {                  "password": {                    "identifier": true                  }                },                "recovery": {                  "via": "email"                }              }            }          }          "additionalProperties": false        }      }    }
In this schema, the 
email
field is used for recovery. Make sure that the recovery address in your identities table matches the field specified in your identity schema. If the issue persists, it might be a bug or an unexpected behavior in Ory. In that case, consider reaching out to the Ory community or support for further assistance. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address).
w
@chilly-king-10285 yes my schema is configured the same way
Copy code
{
  "$id": "<https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json>",
  "$schema": "<http://json-schema.org/draft-07/schema#>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "minLength": 6,
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "email"
            },
            "recovery": {
              "via": "email"
            }
          }
        },
        "name": {
          "type": "object",
          "properties": {
            "first": {
              "type": "string"
            },
            "last": {
              "type": "string"
            }
          }
        }
      },
      "required": [
        "email"
      ],
      "additionalProperties": false
    }
  }
}
c
A message from kapa.ai
New message text here
w
@chilly-king-10285 I reset my db and created new users. The issue went away. Not sure why or what changed but is it possible that I cant recover accounts created before i setup recovery on the schema?
c
A message from kapa.ai
Yes, it's possible that the issue was related to the timing of when you set up account recovery in your schema. If the accounts were created before you set up recovery in the schema, they might not have been properly configured for recovery. In Ory Kratos, the recovery address is usually the email address the user provides when registering their account. If the recovery setup was not in place when the accounts were created, the system might not have recognized the email addresses as valid recovery addresses. Resetting your database and creating new users after setting up recovery would ensure that the new accounts are correctly configured for recovery, which is likely why the issue went away. For future reference, it's important to have your identity schema properly configured before creating users, to ensure all necessary features (like account recovery) are correctly set up. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address).
w
@chilly-king-10285 thanks. is there a way to perhaps migrate the users to the updated schema?
c
A message from kapa.ai
New message text here
9 Views
Open in Slack
PreviousNext
Powered by