millions-van-17299
06/14/2025, 5:14 PMui.nodes
in the response from calling /self-service/login/browser?aal=aal2
? I am using 2fa with email/sms code as the second factor, but I dont like that user’s email is in the response, so is it possible to remove it? The reason for it is that my first factor is kinda insecure (dont ask why) so I want to require 2FA but dont want any user info to leak before user signs up with 2FA. I already set session/whoami
to require 2FA and it seems to work (returns error with "id": "session_aal2_required"
).
This is the part from response when I try to upgrade to aal2 that I want to remove:
{
"type": "input",
"group": "code",
"attributes": {
"name": "address",
"type": "submit",
"value": "test@test.com",
"disabled": false,
"node_type": "input"
},
"messages": [],
"meta": {
"label": {
"id": 1010023,
"text": "Send code to test@test.com",
"type": "info",
"context": {
"address": "test@test.com",
"channel": "email"
}
}
}
}
I am not displaying this anywhere on the UI but would also like to not have it leak in the response (before aal2 is established).
From what I have gathered so far, it appears that removing this is not possible, so now I am thinking that the only way to implement the flow that I need would be to have proxy that would edit the response. However, this seems to be heavily discouraged from what I have read, and would like any tips or concerns on why that is. e.g., flow would go like this:
frontend -> proxy -> kratos
(proxy would modify req/res where needed but other than that pass everything both ways, cookies etc included)