orange-boots-7153505/04/2022, 7:03 AM
orange-boots-7153505/04/2022, 7:49 AM
is that we need to know the user’s
to run the query. In this case, we only know a certain trait of the user (their email). We would need to be able to retrieve the
using this trait.
Theoretically, this could be done with a SQL call directly to the ORY Kratos database, which would parse the database for traits where the the email
a certain value (for instance,
). However, I think this must be possible through ORY Kratos, but I just don’t have the API exposed to do it.
This is because right now, when a user logs in or creates a new account, ORY Kratos needs to check that:
1. The user email does not exist, which will allow the user to create a new account with that email, or
2. The user email does exist, in which case the user needs a matching password to be able to login.
Obviously Kratos is somehow checking this data in the backend, but we don’t have an API endpoint to run the same query. It would be really simple in theory, something like (pseudocode)
The only potential problem with exposing this endpoint is username/email enumeration. But I would contend that ORY Kratos users should be able to decide whether or not to solve this problem themselves!
In fact, as mentioned in the Kratos documentation:
SELECT userobject FROM kratosdb WHERE email = <mailto:email@example.comfirstname.lastname@example.org>
If you wish to mitigate account enumeration attacks, it’s important to note that you can’t sign in users directly after sign up! Depending on the type of service you provide, you might not care about this specific attack in which case direct login after sign up would be ok.
orange-boots-7153505/04/2022, 8:53 AM
orange-boots-7153505/04/2022, 8:58 AM