feat: add verification via code (#2838)

The new `code` strategy is now supported as a verification strategy. If enabled, the strategy sends a code, instead of a magic link to the user's address, which they can use to verify their address.

Close #2824

Author: jonas-jonas

.vscode/launch.json

@@ -75,6 +75,7 @@ func init() {
 		"NewErrorValidationVerificationTokenInvalidOrAlreadyUsed": text.NewErrorValidationVerificationTokenInvalidOrAlreadyUsed(),
 		"NewErrorValidationVerificationRetrySuccess":              text.NewErrorValidationVerificationRetrySuccess(),
 		"NewErrorValidationVerificationStateFailure":              text.NewErrorValidationVerificationStateFailure(),
+		"NewErrorValidationVerificationCodeInvalidOrAlreadyUsed":  text.NewErrorValidationVerificationCodeInvalidOrAlreadyUsed(),
 		"NewErrorSystemGeneric":                                   text.NewErrorSystemGeneric("{reason}"),
 		"NewValidationErrorGeneric":                               text.NewValidationErrorGeneric("{reason}"),
 		"NewValidationErrorRequired":                              text.NewValidationErrorRequired("{field}"),
@@ -121,6 +122,7 @@ func init() {
 		"NewErrorValidationRecoveryStateFailure":                  text.NewErrorValidationRecoveryStateFailure(),
 		"NewInfoNodeInputEmail":                                   text.NewInfoNodeInputEmail(),
 		"NewInfoNodeResendOTP":                                    text.NewInfoNodeResendOTP(),
+		"NewInfoNodeLabelReturn":                                  text.NewInfoNodeLabelReturn(),
 		"NewInfoSelfServiceSettingsRegisterWebAuthn":              text.NewInfoSelfServiceSettingsRegisterWebAuthn(),
 		"NewInfoLoginWebAuthnPasswordless":                        text.NewInfoLoginWebAuthnPasswordless(),
 		"NewInfoSelfServiceRegistrationRegisterWebAuthn":          text.NewInfoSelfServiceRegistrationRegisterWebAuthn(),

cmd/clidoc/main.go

@@ -25,7 +25,7 @@ selfservice:
     lookup_secret:
       enabled: true
     link:
-      enabled: false
+      enabled: true
     code:
       enabled: true
 
@@ -46,6 +46,7 @@ selfservice:
     verification:
       enabled: true
       ui_url: http://127.0.0.1:4455/verification
+      use: code
       after:
         default_browser_return_url: http://127.0.0.1:4455/
 

contrib/quickstart/kratos/email-password/kratos.yml

@@ -30,14 +30,16 @@ type (
 type TemplateType string
 
 const (
-	TypeRecoveryInvalid     TemplateType = "recovery_invalid"
-	TypeRecoveryValid       TemplateType = "recovery_valid"
-	TypeRecoveryCodeInvalid TemplateType = "recovery_code_invalid"
-	TypeRecoveryCodeValid   TemplateType = "recovery_code_valid"
-	TypeVerificationInvalid TemplateType = "verification_invalid"
-	TypeVerificationValid   TemplateType = "verification_valid"
-	TypeOTP                 TemplateType = "otp"
-	TypeTestStub            TemplateType = "stub"
+	TypeRecoveryInvalid         TemplateType = "recovery_invalid"
+	TypeRecoveryValid           TemplateType = "recovery_valid"
+	TypeRecoveryCodeInvalid     TemplateType = "recovery_code_invalid"
+	TypeRecoveryCodeValid       TemplateType = "recovery_code_valid"
+	TypeVerificationInvalid     TemplateType = "verification_invalid"
+	TypeVerificationValid       TemplateType = "verification_valid"
+	TypeVerificationCodeInvalid TemplateType = "verification_code_invalid"
+	TypeVerificationCodeValid   TemplateType = "verification_code_valid"
+	TypeOTP                     TemplateType = "otp"
+	TypeTestStub                TemplateType = "stub"
 )
 
 func GetEmailTemplateType(t EmailTemplate) (TemplateType, error) {
@@ -54,6 +56,10 @@ func GetEmailTemplateType(t EmailTemplate) (TemplateType, error) {
 		return TypeVerificationInvalid, nil
 	case *email.VerificationValid:
 		return TypeVerificationValid, nil
+	case *email.VerificationCodeInvalid:
+		return TypeVerificationCodeInvalid, nil
+	case *email.VerificationCodeValid:
+		return TypeVerificationCodeValid, nil
 	case *email.TestStub:
 		return TypeTestStub, nil
 	default:
@@ -99,6 +105,18 @@ func NewEmailTemplateFromMessage(d template.Dependencies, msg Message) (EmailTem
 			return nil, err
 		}
 		return email.NewVerificationValid(d, &t), nil
+	case TypeVerificationCodeInvalid:
+		var t email.VerificationCodeInvalidModel
+		if err := json.Unmarshal(msg.TemplateData, &t); err != nil {
+			return nil, err
+		}
+		return email.NewVerificationCodeInvalid(d, &t), nil
+	case TypeVerificationCodeValid:
+		var t email.VerificationCodeValidModel
+		if err := json.Unmarshal(msg.TemplateData, &t); err != nil {
+			return nil, err
+		}
+		return email.NewVerificationCodeValid(d, &t), nil
 	case TypeTestStub:
 		var t email.TestStubModel
 		if err := json.Unmarshal(msg.TemplateData, &t); err != nil {

courier/email_templates.go

@@ -18,11 +18,15 @@ import (
 
 func TestGetTemplateType(t *testing.T) {
 	for expectedType, tmpl := range map[courier.TemplateType]courier.EmailTemplate{
-		courier.TypeRecoveryInvalid:     &email.RecoveryInvalid{},
-		courier.TypeRecoveryValid:       &email.RecoveryValid{},
-		courier.TypeVerificationInvalid: &email.VerificationInvalid{},
-		courier.TypeVerificationValid:   &email.VerificationValid{},
-		courier.TypeTestStub:            &email.TestStub{},
+		courier.TypeRecoveryInvalid:         &email.RecoveryInvalid{},
+		courier.TypeRecoveryValid:           &email.RecoveryValid{},
+		courier.TypeRecoveryCodeInvalid:     &email.RecoveryCodeInvalid{},
+		courier.TypeRecoveryCodeValid:       &email.RecoveryCodeValid{},
+		courier.TypeVerificationInvalid:     &email.VerificationInvalid{},
+		courier.TypeVerificationValid:       &email.VerificationValid{},
+		courier.TypeVerificationCodeInvalid: &email.VerificationCodeInvalid{},
+		courier.TypeVerificationCodeValid:   &email.VerificationCodeValid{},
+		courier.TypeTestStub:                &email.TestStub{},
 	} {
 		t.Run(fmt.Sprintf("case=%s", expectedType), func(t *testing.T) {
 			actualType, err := courier.GetEmailTemplateType(tmpl)
@@ -37,13 +41,15 @@ func TestNewEmailTemplateFromMessage(t *testing.T) {
 	ctx := context.Background()
 
 	for tmplType, expectedTmpl := range map[courier.TemplateType]courier.EmailTemplate{
-		courier.TypeRecoveryInvalid:     email.NewRecoveryInvalid(reg, &email.RecoveryInvalidModel{To: "foo"}),
-		courier.TypeRecoveryValid:       email.NewRecoveryValid(reg, &email.RecoveryValidModel{To: "bar", RecoveryURL: "http://foo.bar"}),
-		courier.TypeRecoveryCodeValid:   email.NewRecoveryCodeValid(reg, &email.RecoveryCodeValidModel{To: "bar", RecoveryCode: "12345678"}),
-		courier.TypeRecoveryCodeInvalid: email.NewRecoveryCodeInvalid(reg, &email.RecoveryCodeInvalidModel{To: "bar"}),
-		courier.TypeVerificationInvalid: email.NewVerificationInvalid(reg, &email.VerificationInvalidModel{To: "baz"}),
-		courier.TypeVerificationValid:   email.NewVerificationValid(reg, &email.VerificationValidModel{To: "faz", VerificationURL: "http://bar.foo"}),
-		courier.TypeTestStub:            email.NewTestStub(reg, &email.TestStubModel{To: "far", Subject: "test subject", Body: "test body"}),
+		courier.TypeRecoveryInvalid:         email.NewRecoveryInvalid(reg, &email.RecoveryInvalidModel{To: "foo"}),
+		courier.TypeRecoveryValid:           email.NewRecoveryValid(reg, &email.RecoveryValidModel{To: "bar", RecoveryURL: "http://foo.bar"}),
+		courier.TypeRecoveryCodeValid:       email.NewRecoveryCodeValid(reg, &email.RecoveryCodeValidModel{To: "bar", RecoveryCode: "12345678"}),
+		courier.TypeRecoveryCodeInvalid:     email.NewRecoveryCodeInvalid(reg, &email.RecoveryCodeInvalidModel{To: "bar"}),
+		courier.TypeVerificationInvalid:     email.NewVerificationInvalid(reg, &email.VerificationInvalidModel{To: "baz"}),
+		courier.TypeVerificationValid:       email.NewVerificationValid(reg, &email.VerificationValidModel{To: "faz", VerificationURL: "http://bar.foo"}),
+		courier.TypeVerificationCodeInvalid: email.NewVerificationCodeInvalid(reg, &email.VerificationCodeInvalidModel{To: "baz"}),
+		courier.TypeVerificationCodeValid:   email.NewVerificationCodeValid(reg, &email.VerificationCodeValidModel{To: "faz", VerificationURL: "http://bar.foo", VerificationCode: "123456678"}),
+		courier.TypeTestStub:                email.NewTestStub(reg, &email.TestStubModel{To: "far", Subject: "test subject", Body: "test body"}),
 	} {
 		t.Run(fmt.Sprintf("case=%s", tmplType), func(t *testing.T) {
 			tmplData, err := json.Marshal(expectedTmpl)

courier/email_templates_test.go

@@ -0,0 +1,7 @@
+Hi,
+
+someone asked to verify this email address, but we were unable to find an account for this address.
+
+If this was you, check if you signed up using a different address.
+
+If this was not you, please ignore this email.

courier/template/courier/builtin/templates/verification_code/invalid/email.body.gotmpl

@@ -0,0 +1,7 @@
+Hi,
+
+someone asked to verify this email address, but we were unable to find an account for this address.
+
+If this was you, check if you signed up using a different address.
+
+If this was not you, please ignore this email.

courier/template/courier/builtin/templates/verification_code/invalid/email.body.plaintext.gotmpl

@@ -0,0 +1 @@
+Someone tried to verify this email address

courier/template/courier/builtin/templates/verification_code/invalid/email.subject.gotmpl

@@ -0,0 +1,9 @@
+Hi,
+
+please verify your account by entering the following code:
+
+{{ .VerificationCode }}
+
+or clicking the following link:
+
+<a href="{{ .VerificationURL }}">{{ .VerificationURL }}</a>

courier/template/courier/builtin/templates/verification_code/valid/email.body.gotmpl

@@ -0,0 +1,9 @@
+Hi,
+
+please verify your account by entering the following code:
+
+{{ .VerificationCode }}
+
+or clicking the following link:
+
+{{ .VerificationURL }}

courier/template/courier/builtin/templates/verification_code/valid/email.body.plaintext.gotmpl

@@ -0,0 +1 @@
+Please verify your email address

courier/template/courier/builtin/templates/verification_code/valid/email.subject.gotmpl

@@ -0,0 +1,73 @@
+// Copyright © 2022 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package email
+
+import (
+	"context"
+	"encoding/json"
+	"os"
+	"strings"
+
+	"github.com/ory/kratos/courier/template"
+)
+
+type (
+	VerificationCodeInvalid struct {
+		d template.Dependencies
+		m *VerificationCodeInvalidModel
+	}
+	VerificationCodeInvalidModel struct {
+		To string
+	}
+)
+
+func NewVerificationCodeInvalid(d template.Dependencies, m *VerificationCodeInvalidModel) *VerificationCodeInvalid {
+	return &VerificationCodeInvalid{d: d, m: m}
+}
+
+func (t *VerificationCodeInvalid) EmailRecipient() (string, error) {
+	return t.m.To, nil
+}
+
+func (t *VerificationCodeInvalid) EmailSubject(ctx context.Context) (string, error) {
+	subject, err := template.LoadText(
+		ctx,
+		t.d,
+		os.DirFS(t.d.CourierConfig().CourierTemplatesRoot(ctx)),
+		"verification_code/invalid/email.subject.gotmpl",
+		"verification_code/invalid/email.subject*",
+		t.m,
+		t.d.CourierConfig().CourierTemplatesVerificationCodeInvalid(ctx).Subject,
+	)
+
+	return strings.TrimSpace(subject), err
+}
+
+func (t *VerificationCodeInvalid) EmailBody(ctx context.Context) (string, error) {
+	return template.LoadHTML(
+		ctx,
+		t.d,
+		os.DirFS(t.d.CourierConfig().CourierTemplatesRoot(ctx)),
+		"verification_code/invalid/email.body.gotmpl",
+		"verification_code/invalid/email.body*",
+		t.m,
+		t.d.CourierConfig().CourierTemplatesVerificationCodeInvalid(ctx).Body.HTML,
+	)
+}
+
+func (t *VerificationCodeInvalid) EmailBodyPlaintext(ctx context.Context) (string, error) {
+	return template.LoadText(
+		ctx,
+		t.d,
+		os.DirFS(t.d.CourierConfig().CourierTemplatesRoot(ctx)),
+		"verification_code/invalid/email.body.plaintext.gotmpl",
+		"verification_code/invalid/email.body.plaintext*",
+		t.m,
+		t.d.CourierConfig().CourierTemplatesVerificationCodeInvalid(ctx).Body.PlainText,
+	)
+}
+
+func (t *VerificationCodeInvalid) MarshalJSON() ([]byte, error) {
+	return json.Marshal(t.m)
+}

courier/template/email/verification_code_invalid.go

@@ -0,0 +1,30 @@
+// Copyright © 2022 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package email_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/ory/kratos/courier"
+	"github.com/ory/kratos/courier/template/email"
+	"github.com/ory/kratos/courier/template/testhelpers"
+	"github.com/ory/kratos/internal"
+)
+
+func TestVerifyCodeInvalid(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	t.Run("test=with courier templates directory", func(t *testing.T) {
+		_, reg := internal.NewFastRegistryWithMocks(t)
+		tpl := email.NewVerificationCodeInvalid(reg, &email.VerificationCodeInvalidModel{})
+
+		testhelpers.TestRendered(t, ctx, tpl)
+	})
+
+	t.Run("test=with remote resources", func(t *testing.T) {
+		testhelpers.TestRemoteTemplates(t, "../courier/builtin/templates/verification_code/invalid", courier.TypeVerificationCodeInvalid)
+	})
+}

courier/template/email/verification_code_invalid_test.go

@@ -0,0 +1,74 @@
+// Copyright © 2022 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package email
+
+import (
+	"context"
+	"encoding/json"
+	"os"
+	"strings"
+
+	"github.com/ory/kratos/courier/template"
+)
+
+type (
+	VerificationCodeValid struct {
+		d template.Dependencies
+		m *VerificationCodeValidModel
+	}
+	VerificationCodeValidModel struct {
+		To               string
+		VerificationURL  string
+		VerificationCode string
+		Identity         map[string]interface{}
+	}
+)
+
+func NewVerificationCodeValid(d template.Dependencies, m *VerificationCodeValidModel) *VerificationCodeValid {
+	return &VerificationCodeValid{d: d, m: m}
+}
+
+func (t *VerificationCodeValid) EmailRecipient() (string, error) {
+	return t.m.To, nil
+}
+
+func (t *VerificationCodeValid) EmailSubject(ctx context.Context) (string, error) {
+	subject, err := template.LoadText(
+		ctx,
+		t.d,
+		os.DirFS(t.d.CourierConfig().CourierTemplatesRoot(ctx)),
+		"verification_code/valid/email.subject.gotmpl",
+		"verification_code/valid/email.subject*",
+		t.m,
+		t.d.CourierConfig().CourierTemplatesVerificationCodeValid(ctx).Subject,
+	)
+
+	return strings.TrimSpace(subject), err
+}
+
+func (t *VerificationCodeValid) EmailBody(ctx context.Context) (string, error) {
+	return template.LoadHTML(ctx,
+		t.d,
+		os.DirFS(t.d.CourierConfig().CourierTemplatesRoot(ctx)),
+		"verification_code/valid/email.body.gotmpl",
+		"verification_code/valid/email.body*",
+		t.m,
+		t.d.CourierConfig().CourierTemplatesVerificationCodeValid(ctx).Body.HTML,
+	)
+}
+
+func (t *VerificationCodeValid) EmailBodyPlaintext(ctx context.Context) (string, error) {
+	return template.LoadText(ctx,
+		t.d,
+		os.DirFS(t.d.CourierConfig().CourierTemplatesRoot(ctx)),
+		"verification_code/valid/email.body.plaintext.gotmpl",
+		"verification_code/valid/email.body.plaintext*",
+		t.m,
+		t.d.CourierConfig().CourierTemplatesVerificationCodeValid(ctx).Body.PlainText,
+	)
+}
+
+func (t *VerificationCodeValid) MarshalJSON() ([]byte, error) {
+	return json.Marshal(t.m)
+}

courier/template/email/verification_code_valid.go

@@ -0,0 +1,30 @@
+// Copyright © 2022 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package email_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/ory/kratos/courier"
+	"github.com/ory/kratos/courier/template/email"
+	"github.com/ory/kratos/courier/template/testhelpers"
+	"github.com/ory/kratos/internal"
+)
+
+func TestVerifyCodeValid(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	t.Run("test=with courier templates directory", func(t *testing.T) {
+		_, reg := internal.NewFastRegistryWithMocks(t)
+		tpl := email.NewVerificationCodeValid(reg, &email.VerificationCodeValidModel{})
+
+		testhelpers.TestRendered(t, ctx, tpl)
+	})
+
+	t.Run("test=with remote resources", func(t *testing.T) {
+		testhelpers.TestRemoteTemplates(t, "../courier/builtin/templates/verification_code/valid", courier.TypeVerificationCodeValid)
+	})
+}