feat: better detection if credentials exist on identifier first login (…

…#3963)
ory · Jun 21, 2024 · 11a28a1 · 11a28a1
1 parent b07329d
commit 11a28a1
Show file tree

Hide file tree

Showing 35 changed files with 427 additions and 224 deletions.
diff --git a/selfservice/flow/login/strategy_form_hydrator.go b/selfservice/flow/login/strategy_form_hydrator.go
@@ -20,6 +20,19 @@ type FormHydrator interface {
 	PopulateLoginMethodFirstFactor(r *http.Request, sr *Flow) error
 	PopulateLoginMethodSecondFactor(r *http.Request, sr *Flow) error
 	PopulateLoginMethodSecondFactorRefresh(r *http.Request, sr *Flow) error
+
+	// PopulateLoginMethodIdentifierFirstCredentials populates the login form with the first factor credentials.
+	// This method is called when the login flow is set to identifier first. The method will receive information
+	// about the identity that is being used to log in and the identifier that was used to find the identity.
+	//
+	// The method should populate the login form with the credentials of the identity.
+	//
+	// If the method can not find any credentials (because the identity does not exist) idfirst.ErrNoCredentialsFound
+	// must be returned. When returning  idfirst.ErrNoCredentialsFound the strategy will appropriately deal with
+	// account enumeration mitigation.
+	//
+	// This method does however need to take appropriate steps to show/hide certain fields depending on the account
+	// enumeration configuration.
 	PopulateLoginMethodIdentifierFirstCredentials(r *http.Request, sr *Flow, options ...FormHydratorModifier) error
 	PopulateLoginMethodIdentifierFirstIdentification(r *http.Request, sr *Flow) error
 }

diff --git a/selfservice/strategy/code/strategy_login.go b/selfservice/strategy/code/strategy_login.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/ory/kratos/selfservice/strategy/idfirst"
 	"github.com/ory/kratos/text"
 
 	"github.com/ory/x/sqlcon"
@@ -389,11 +390,15 @@ func (s *Strategy) PopulateLoginMethodSecondFactorRefresh(r *http.Request, f *lo
 }
 
 func (s *Strategy) PopulateLoginMethodIdentifierFirstCredentials(r *http.Request, f *login.Flow, _ ...login.FormHydratorModifier) error {
-	if s.deps.Config().SelfServiceCodeStrategy(r.Context()).PasswordlessEnabled {
-		f.GetUI().Nodes.Append(
-			node.NewInputField("method", s.ID(), node.CodeGroup, node.InputAttributeTypeSubmit).WithMetaLabel(text.NewInfoSelfServiceLoginCode()),
-		)
+	if !s.deps.Config().SelfServiceCodeStrategy(r.Context()).PasswordlessEnabled {
+		// We only return this if passwordless is disabled, because if it is enabled we can always sign in using this method.
+		return idfirst.ErrNoCredentialsFound
 	}
+
+	f.GetUI().Nodes.Append(
+		node.NewInputField("method", s.ID(), node.CodeGroup, node.InputAttributeTypeSubmit).WithMetaLabel(text.NewInfoSelfServiceLoginCode()),
+	)
+
 	return nil
 }
 

diff --git a/selfservice/strategy/code/strategy_login_test.go b/selfservice/strategy/code/strategy_login_test.go
@@ -13,6 +13,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/kratos/selfservice/strategy/idfirst"
+
 	configtesthelpers "github.com/ory/kratos/driver/config/testhelpers"
 
 	"github.com/ory/kratos/driver"
@@ -916,7 +918,7 @@ func TestFormHydration(t *testing.T) {
 		t.Run("case=WithIdentifier", func(t *testing.T) {
 			t.Run("case=code is used for 2fa", func(t *testing.T) {
 				r, f := newFlow(mfaEnabled, t)
-				require.NoError(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentifier("foo@bar.com")))
+				require.ErrorIs(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentifier("foo@bar.com")), idfirst.ErrNoCredentialsFound)
 				toSnapshot(t, f)
 			})
 
@@ -934,7 +936,7 @@ func TestFormHydration(t *testing.T) {
 						configtesthelpers.WithConfigValue(mfaEnabled, config.ViperKeySecurityAccountEnumerationMitigate, true),
 						t,
 					)
-					require.NoError(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentifier("foo@bar.com")))
+					require.ErrorIs(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentifier("foo@bar.com")), idfirst.ErrNoCredentialsFound)
 					toSnapshot(t, f)
 				})
 
@@ -955,7 +957,7 @@ func TestFormHydration(t *testing.T) {
 
 					t.Run("case=code is used for 2fa", func(t *testing.T) {
 						r, f := newFlow(mfaEnabled, t)
-						require.NoError(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentityHint(id)))
+						require.ErrorIs(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentityHint(id)), idfirst.ErrNoCredentialsFound)
 						toSnapshot(t, f)
 					})
 
@@ -971,7 +973,7 @@ func TestFormHydration(t *testing.T) {
 
 					t.Run("case=code is used for 2fa", func(t *testing.T) {
 						r, f := newFlow(mfaEnabled, t)
-						require.NoError(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentityHint(id)))
+						require.ErrorIs(t, fh.PopulateLoginMethodIdentifierFirstCredentials(r, f, login.WithIdentityHint(id)), idfirst.ErrNoCredentialsFound)
 						toSnapshot(t, f)
 					})
 

diff --git a/selfservice/strategy/idfirst/strategy_login.go b/selfservice/strategy/idfirst/strategy_login.go
@@ -6,10 +6,11 @@ package idfirst
 import (
 	"net/http"
 
+	"github.com/ory/kratos/schema"
+
 	"github.com/pkg/errors"
 
 	"github.com/ory/kratos/identity"
-	"github.com/ory/kratos/schema"
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/flow/login"
 	"github.com/ory/kratos/session"
@@ -22,6 +23,7 @@ import (
 
 var _ login.FormHydrator = new(Strategy)
 var _ login.Strategy = new(Strategy)
+var ErrNoCredentialsFound = errors.New("no credentials found")
 
 func (s *Strategy) handleLoginError(w http.ResponseWriter, r *http.Request, f *login.Flow, payload *updateLoginFlowWithIdentifierFirstMethod, err error) error {
 	if f != nil {
@@ -64,13 +66,10 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow,
 		false,
 	)
 	if errors.Is(err, sqlcon.ErrNoRows) {
-		// User not found
-		if !s.d.Config().SecurityAccountEnumerationMitigate(r.Context()) {
-			// We don't have to mitigate account enumeration and show the user that the account doesn't exist
-			return nil, s.handleLoginError(w, r, f, &p, errors.WithStack(schema.NewAccountNotFoundError()))
-		}
-
+		// If the user is not found, we still want to potentially show the UI for some method. That's why we don't exit here.
 		// We have to mitigate account enumeration. So we continue without setting the identity hint.
+		//
+		// This will later be handled by `didPopulate`.
 	} else if err != nil {
 		// An error happened during lookup
 		return nil, s.handleLoginError(w, r, f, &p, err)
@@ -88,17 +87,47 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow,
 	opts = append(opts, login.WithIdentityHint(identityHint))
 	opts = append(opts, login.WithIdentifier(p.Identifier))
 
+	didPopulate := false
 	for _, ls := range s.d.LoginStrategies(r.Context()) {
 		populator, ok := ls.(login.FormHydrator)
 		if !ok {
 			continue
 		}
 
 		if err := populator.PopulateLoginMethodIdentifierFirstCredentials(r, f, opts...); errors.Is(err, login.ErrBreakLoginPopulate) {
+			didPopulate = true
 			break
+		} else if errors.Is(err, ErrNoCredentialsFound) {
+			// This strategy is not responsible for this flow. We do not set didPopulate to true if that happens.
 		} else if err != nil {
 			return nil, s.handleLoginError(w, r, f, &p, err)
+		} else {
+			didPopulate = true
+		}
+	}
+
+	// If no strategy populated, it means that the account (very likely) does not exist. We show a user not found error,
+	// but only if account enumeration mitigation is disabled. Otherwise, we proceed to render the rest of the form.
+	if !didPopulate && !s.d.Config().SecurityAccountEnumerationMitigate(r.Context()) {
+		return nil, s.handleLoginError(w, r, f, &p, errors.WithStack(schema.NewAccountNotFoundError()))
+	}
+
+	// We found credentials - hide the identifier.
+	f.UI.GetNodes().RemoveMatching(node.NewInputField("method", s.ID(), s.NodeGroup(), node.InputAttributeTypeSubmit))
+
+	// We set the identifier to hidden, so it's still available in the form but not visible to the user.
+	for k, n := range f.UI.Nodes {
+		if n.ID() != "identifier" {
+			continue
+		}
+
+		attrs, ok := f.UI.Nodes[k].Attributes.(*node.InputAttributes)
+		if !ok {
+			continue
 		}
+
+		attrs.Type = node.InputAttributeTypeHidden
+		f.UI.Nodes[k].Attributes = attrs
 	}
 
 	f.Active = s.ID()
@@ -149,25 +178,8 @@ func (s *Strategy) PopulateLoginMethodIdentifierFirstIdentification(r *http.Requ
 	return nil
 }
 
-func (s *Strategy) PopulateLoginMethodIdentifierFirstCredentials(_ *http.Request, f *login.Flow, _ ...login.FormHydratorModifier) error {
-	f.UI.GetNodes().RemoveMatching(node.NewInputField("method", s.ID(), s.NodeGroup(), node.InputAttributeTypeSubmit))
-
-	// We set the identifier to hidden, so it's still available in the form but not visible to the user.
-	for k, n := range f.UI.Nodes {
-		if n.ID() != "identifier" {
-			continue
-		}
-
-		attrs, ok := f.UI.Nodes[k].Attributes.(*node.InputAttributes)
-		if !ok {
-			continue
-		}
-
-		attrs.Type = node.InputAttributeTypeHidden
-		f.UI.Nodes[k].Attributes = attrs
-	}
-
-	return nil
+func (s *Strategy) PopulateLoginMethodIdentifierFirstCredentials(_ *http.Request, f *login.Flow, opts ...login.FormHydratorModifier) error {
+	return ErrNoCredentialsFound
 }
 
 func (s *Strategy) RegisterLoginRoutes(_ *x.RouterPublic) {}