Hi team I think I found a bug in Kratos settings API maybe i Ory Community #general

Hi team, I think I found a bug in Kratos settings ...

brash-librarian-74886

01/30/2025, 10:08 AM

Hi team, I think I found a bug in Kratos settings API, maybe it is already known. Basically, the behaviour of the profile update POST request is different based on the format of the body. The behaviour when sending a flat JSON vs a nested one is different 🤯 is this expected? Sending, for example

Copy code

{
  csrf_token: csrf_token,
  method: "profile",
  traits: {
     last_name: "",
     ....more fields
  }
}

will just update the fields in

traits

and keep

last_name

with an empty string. However, if I send

Copy code

{
  csrf_token: csrf_token,
  method: "profile",
  traits.last_name: "",
  ...more fields
}

kratos will completely remove

last_name

from

traits

🤯 I find it hard to believe that this is an expected behaviour but I’d like to double check with you 🙏 I’m happy to maybe help with a fix for this (I’m not a Go expert and I’m not super familiar with Kratos source code) if you give me some tips about where to look. Thanks!!

brash-librarian-74886

01/30/2025, 10:58 AM

some updates: I built Kratos image locally with some logs wrapping the settings body decoder and those fields are removed by the decoder. They are present in the input body as empty strings but the decoder is removing them, so

&p

after decoding is not holding them, making Kratos update incorrectly the identity traits

brash-librarian-74886

01/30/2025, 12:03 PM

after diving in the code, these 3 lines in

ory/x

decoder are responsible for the behaviour https://github.com/ory/x/blob/master/decoderx/http.go#L504-L506

4 Views

Open in Slack

Previous Next