Hi!
Can I disable automatic sending of emails when...
# ory-networkf
few-balloon-32118
01/09/2023, 9:44 PMHi!
Can I disable automatic sending of emails when “Require Verified Address for Login” is enabled?
I want to trigger the sending of the email by calling https://www.ory.sh/docs/kratos/reference/api#tag/frontend/operation/createBrowserVerificationFlow instead, so that I can re-use the flow ID for the verification flow.
p
proud-plumber-24205
01/10/2023, 9:46 AMcc @bland-eye-99092
f
few-balloon-32118
01/10/2023, 1:35 PMI’m really struggling with the email verification flow, tbh.
Please verify that my understanding is correct:
1. To confirm your email with
updateVerificationFlowcreateBrowserVerificationFlowupdateRegistrationFlowupdateRegistrationFlowcreateBrowserVerificationFlowb
bland-eye-99092
01/10/2023, 1:39 PMHi, sorry for the late reply. Your understanding is correct. For now there is no way to retrieve the flow id outside of clicking the link. However we do plan on making this more ergonomic.
Unfortunately, there is also no way of requiring a verified address for login, without also automatically sending the verification code email.
f
few-balloon-32118
01/10/2023, 1:57 PMNo worries, and thank you for confirming my understanding.
In a last attempt to keep the user in their original signup-tab while confirming their email, I also tried to set the URL under User Interface -> Verification UI to mydomain.com/email-verification so that the user will be redirected to a separate page (in a new tab) where I can retrieve the flow ID from the query param and they can provide their confirmation code manually.
This, however, results in a
403csrf_tokengetVerificationFlowgetVerificationFlowfew-balloon-32118
01/10/2023, 3:27 PMSeems like its working if I open the link in the email once more.
Really struggling to understand why opening the link the first time is resulting in 403 when GETing the flow, ref:
Copy code
{
"error": {
"id": "security_csrf_violation",
"code": 403,
"status": "Forbidden",
"request": "7334a04b-e89b-938e-8f74-3d333cc789b9",
"reason": "Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
"details": {
"docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
"hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
"reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
},
"message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
}
}few-balloon-32118
01/10/2023, 3:41 PMAre you sure automatic sending of emails cannot be disabled? That would solve this case completely😅
b
bland-eye-99092
01/10/2023, 3:45 PMThe verification flow is not supposed to be protected against CSRF, as the potential risk is quite low. But Kratos does reject requests that have an Anti CSRF cookie set, even if the flow doesn’t require it, AFAIK. That’s probably why you’re seeing the error.
Are you sure automatic sending of emails cannot be disabled? That would solve this case completelyI don’t know of a way, but I might be mistaken. Feel free to file an issue in ory/kratos, though.
f
few-balloon-32118
01/10/2023, 5:28 PMThank you. I was not able to solve the CSRF-issue, but I found a way around it.
This is how i solved it:
1. direct the user to the
/ui/verification/confirmation11 Views