Hello Guys, Even I passed recovery code to the complete recovery api (POST https://{project}.projects.oryapis.com/self-service/recovery) I am still getting recovery code to mail and in response getting state as "sent_email". Please help me here

Hey Suresh, could you list step by step what you are doing and what you are trying to achieve? Ideally with some curl commands to reproduce on my end if possible. Thanks!

Make sure not to provide the email in the request body when posting the recovery code

Hi @faint-helmet-53309 We tried without email, we are getting this

data: {

error:{

"id": "browser_location_change_required",

"code": 422,

"status": "Unprocessable Entity",

"reason": "In order to complete this flow please redirect the browser to: /ui/settings?flow=18f615f2-43cb-457b-9b79-c695526bf0fe",

"message": "browser location change required"

}

redirect_browser_to: '/ui/settings?flow=18f615f2-43cb-457b-9b79-c695526bf0fe'

}

That means it was successful

then we need seesion_token to change password, where will get that?

The session token is in the header of the response

I m using API call not browser, I have got this in response header, could you help in identifying session token in header

headers: {

date: 'Wed, 21 Dec 2022 11:00:00 GMT',

'content-type': 'application/json',

'content-length': '348',

connection: 'close',

b3: '0000000000000000e1a0253d74b6c56c-48a3e94719379d3c-1',

'cache-control': 'private, no-cache, no-store, must-revalidate',

'set-cookie': [Array],

'uber-trace-id': '0000000000000000e1a0253d74b6c56c:48a3e94719379d3c:0:1',

vary: 'Origin,Cookie',

'x-b3-sampled': '1',

'x-b3-spanid': '48a3e94719379d3c',

'x-b3-traceid': '0000000000000000e1a0253d74b6c56c',

'cf-cache-status': 'DYNAMIC',

server: 'cloudflare',

'cf-ray': '77d01c899f0b8ae1-DEL',

'alt-svc': 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'

}

Look at the set-cookie contents. There you will find your session cookie

when I send recieved cookie in /self-services/settings API to update password, it rejects stating that the request meant to be from browser not api, any leads on this?

what kind of error do you get exactly @adamant-angle-54989?

API-initiated flows expect

application/json

to be sent in the body and respond with HTTP 200 and an application/json body with the session token on success; HTTP 303 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set; HTTP 400 on form validation errors. HTTP 401 when the endpoint is called without a valid session token. HTTP 403 when

selfservice.flows.settings.privileged_session_max_age

was reached or the session’s AAL is too low. Implies that the user needs to re-authenticate.

Browser flows without HTTP Header

Accept

or with

Accept: text/*

respond with a HTTP 303 redirect to the post/after settings URL or the

return_to

value if it was set and if the flow succeeded; a HTTP 303 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise. a HTTP 303 redirect to the login endpoint when

selfservice.flows.settings.privileged_session_max_age

was reached or the session’s AAL is too low.

Browser flows with HTTP Header

Accept: application/json

respond with HTTP 200 and a application/json body with the signed in identity and a

Set-Cookie

header on success; HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set; HTTP 401 when the endpoint is called without a valid session cookie. HTTP 403 when the page is accessed without a session cookie or the session’s AAL is too low. HTTP 400 on form validation errors.

Hi @magnificent-energy-493 I am using ORY's API step 1. I m using

/self-service/recovery/api

to get recovery flow, it works fine and I get a flow id step 2. using this flow id I call POST

/self-service/recovery?flow=<flow_id>

to get recovery code on email by passing request body as

{ method: 'code', email: <my_email> }

it works fine and I get recovery code on email Step 3. again using same flow Id I call POST

/self-service/recovery?flow=<flow_id>

to submit otp by passing request body as

{ method: 'code', code: <code_from_email>}

but the API return status

422

instead of

200

with message as

message: 'In order to complete this flow please redirect the browser to: /ui/settings?flow=93b5be58-24d2-48ba-bb3a-e833b6'

in response header I get

set-cookie

which contains an array with csrf_token and session_token, I try to hit POST

/self-service/settings?flow=93b5be58-24d2-48ba-bb3a-e833b6

with request body`{ method: 'password', password: <my_new_password>}` along with received headers, it gives me

400

error saying that

The HTTP Request Header included the "Cookie" key, indicating that this request was made by a Browser. The flow however was initiated as an API request. To prevent potential misuse and mitigate several attack vectors including CSRF, the request has been blocked. Please consult the documentation.

The problem is that you are sending the request from a browser @adamant-angle-54989 Are you using something like Postman or Insomnia? Those are also browsers (electron) under the hood, so that could be causing the problem with CRSF. Try sending the request straight from the terminal with e.g. cURL.

I am sending requests thruogh my code and I am invoking my APIs from Postman only

Please try it directly from your terminal without postman