https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
s

some-scooter-3723

02/22/2022, 6:33 AM
Hello, Due to some mistakes in FE, we don't handle correctly cookie checking at FE, due to some actions like reset password or registration got error like this one:
Copy code
{
  "code": 400,
  "status": "Bad Request",
  "reason": "A valid session was detected and thus recovery is not possible.",
  "message": "The request was malformed or contained invalid parameters"
}
I checked that there are 3 end points will check session:
Copy code
.ory/kratos/public/self-service/login
.ory/kratos/public/self-service/recovery
.ory/kratos/public/self-service/registration
For login endpoint, I can bypass this check via "refresh=true" param, but there is no param to bypass this for 2 remaining endpoints. My question here is: Do we really need to have this check? I think the requirement to have that checking is from business team, some kind like: some companies will allow end-user to reset pass + register the new one while they're logged in (Gmail is an example, we don't need to logout and we can register new accounts) --> should we have configure to turn on/off this check for recovery + registration flow (or, have same param refresh=true for these 2 flows)?
h

high-optician-2097

02/22/2022, 6:39 AM
I believe there's an open PR for this already!
s

some-scooter-3723

02/22/2022, 6:41 AM
let I check
you mean this one: https://github.com/ory/kratos/pull/2195? it's for recovery flow only, and you're in charged of it 🙂. Please review and think about registration also, thanks.
3 Views