Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Settings flow unable to update password and vulnerability discovered #4065

Open
5 tasks done
dextercodo opened this issue Aug 28, 2024 · 0 comments
Open
5 tasks done

Settings flow unable to update password and vulnerability discovered #4065

dextercodo opened this issue Aug 28, 2024 · 0 comments
Labels
bug Something is not working.

Comments

@dextercodo
Copy link

dextercodo commented Aug 28, 2024
edited
Loading

Preflight checklist

Ory Network Project

No response

Describe the bug

When trying to update settings flow to using password / profile methods, I get the following error

{
    "id": 4000007,
    "text": "An account with the same identifier (email, phone, username, ...) exists already.",
    "type": "error"
}

Unable to perform either operation.
what's more interesting is that when using "profile" method and parsing a new email address, that gets a 200 response and adds a new email identifier record.

Reproducing the bug

  1. start a registration flow: GET https://api.loopin.io/public/auth/self-service/registration/browser
  2. complete the registration flow: POST https://api.loopin.io/public/auth/self-service/registration?flow=
registration body
{
    "csrf_token": "<token>",
    "method": "password",
    "password" "anythingYouLike" 
    "traits": {
        "email":"[email protected]",
        "name": {
            "first":"John",
            "last":"Doe"
        }
    }
}
  1. start a settings flow: GET https://api.loopin.io/public/auth/self-service/settings/browser
  2. complete the settings flow: POST https://api.loopin.io/public/auth/self-service/settings?flow=
settings flow fail body
{
    "csrf_token": "<token>",
    "method": "password",
    "password" "anythingYouLike" 
}

Relevant log output

level=info msg=Encountered self-service settings error. func=github.com/ory/kratos/selfservice/flow/settings.(*ErrorHandler).WriteFlowError file=/go/src/github.com/ory/kratos/selfservice/flow/settings/error.go:148 audience=audit error=map[message:I[#/] S[] an account with the same identifier (email, phone, username, ...) exists already stack_trace:
github.com/ory/kratos/schema.NewDuplicateCredentialsError
/go/src/github.com/ory/kratos/schema/errors.go:168
github.com/ory/kratos/selfservice/flow/settings.(*HookExecutor).PostSettingsHook
/go/src/github.com/ory/kratos/selfservice/flow/settings/hook.go:224
github.com/ory/kratos/selfservice/flow/settings.(*Handler).updateSettingsFlow
/go/src/github.com/ory/kratos/selfservice/flow/settings/handler.go:622
github.com/ory/kratos/selfservice/flow/settings.(*Handler).RegisterPublicRoutes.(*Handler).IsAuthenticated.func7
/go/src/github.com/ory/kratos/session/handler.go:853
github.com/ory/kratos/x.(*RouterPublic).POST.NoCacheHandle.func1
/go/src/github.com/ory/kratos/x/nocache.go:21
github.com/ory/kratos/x.(*RouterPublic).Handle.NoCacheHandle.func1
/go/src/github.com/ory/kratos/x/nocache.go:21
github.com/julienschmidt/httprouter.(*Router).ServeHTTP
/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387
github.com/ory/nosurf.(*CSRFHandler).handleSuccess
/go/pkg/mod/github.com/ory/[email protected]/handler.go:234
github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
/go/pkg/mod/github.com/ory/[email protected]/handler.go:185
github.com/ory/kratos/cmd/daemon.servePublic.MaxBytesHandler.func4
/usr/local/go/src/net/http/server.go:3846
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2171
github.com/urfave/negroni.(*Negroni).UseHandler.Wrap.func1
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.init.func1
/go/src/github.com/ory/kratos/x/clean_url.go:15
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/rs/cors.(*Cors).ServeHTTP
/go/pkg/mod/github.com/rs/[email protected]/cors.go:324
github.com/ory/kratos/cmd/daemon.servePublic.func1
/go/src/github.com/ory/kratos/cmd/daemon/serve.go:114
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2171
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:284
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2171
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:142
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2171
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:92
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2171
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:104
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2171
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:234
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:2171

Relevant configuration

cookies:
  same_site: Lax
serve:
  public:
    base_url: https://api.loopin.io/public/auth/
    cors:
      enabled: true
      allowed_origins:
        - https://app.loopin.io
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Content-Type
        - Cookie
      exposed_headers:
        - Content-Type
        - Set-Cookie

selfservice:
  default_browser_return_url: https://app.loopin.io
  allowed_return_urls:
    - https://app.loopin.io

  methods:
    password:
      enabled: true

  flows:
    error:
      ui_url: https://app.loopin.io/error

    settings:
      ui_url: https://app.loopin.io/settings
      privileged_session_max_age: 15m
      required_aal: highest_available

    logout:
      after:
        default_browser_return_url: https://app.loopin.io/login

    login:
      ui_url: https://app.loopin.io/login
      lifespan: 30m

    registration:
      lifespan: 30m
      ui_url: https://app.loopin.io/registration
      after:
        password:
          hooks:
            - hook: session

Version

1.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response
@dextercodo dextercodo added the bug Something is not working. label Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dextercodo