You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When password recovery is performed via the User Account Recovery API V2 [1] using challenge questions [2], and the fix for [3] is applied, the password recovery managers are extracted, and the recoveryInformationDTO is retrieved as follows:
for (PasswordRecoveryManager manager : passwordRecoveryManagers) {
tempDTO = manager.initiate(userClaims, tenantDomain,
RecoveryUtil.buildPropertiesMap(initRequest.getProperties()));
if (!(manager instanceof PasswordRecoveryManagerImpl)) {
// Get the challenge question-based password recovery configurations.
LOG.debug("Considering PasswordRecoveryManager to be ChallengeQuestionPasswordRecoveryManager " +
"and retrieving question-based recovery configurations.");
isQuestionBasedRecoveryEnabled = tempDTO.isQuestionBasedRecoveryEnabled();
isQuestionBasedRecoveryAllowedForUser = tempDTO.isQuestionBasedRecoveryAllowedForUser();
} else {
// Get the configurations for notification password recovery manager.
recoveryInformationDTO = tempDTO;
}
}
With the above approach, the code executes correctly when the notification-based password recovery manager is the last member of the passwordRecoveryManagers list. However, if the security question-based password recovery manager appears as the last member of the list, the existing user recovery data will be invalidated at [4], and new recovery data based on security questions will be stored through [5]. This new recovery data is not utilized in the above-mentioned source code section, leading to an invalidated recoveryCode being returned in the init request. Consequently, if this recovery code is used in the recover request, it will fail with the following error message.
Note: This issue occurs intermittently. To reproduce it, you may need to restart the server multiple times, which changes the order of password managers in the source code section mentioned above.
Version
wso2is-7.0.0.83
Environment Details (with versions)
OS: Mac OS
Database: H2
Userstore: JDBC
The text was updated successfully, but these errors were encountered:
Description
When password recovery is performed via the User Account Recovery API V2 [1] using challenge questions [2], and the fix for [3] is applied, the password recovery managers are extracted, and the
recoveryInformationDTO
is retrieved as follows:With the above approach, the code executes correctly when the notification-based password recovery manager is the last member of the
passwordRecoveryManagers
list. However, if the security question-based password recovery manager appears as the last member of the list, the existing user recovery data will be invalidated at [4], and new recovery data based on security questions will be stored through [5]. This new recovery data is not utilized in the above-mentioned source code section, leading to an invalidatedrecoveryCode
being returned in theinit
request. Consequently, if this recovery code is used in therecover
request, it will fail with the following error message.The above logic should be reviewed and updated to ensure that invalidated recovery codes are not returned in the response.
[1] - https://is.docs.wso2.com/en/latest/apis/user-account-recovery-v2-rest-api/#tag/Password-Recovery
[2] - https://store.wso2.com/connector/identity-challenge-questions
[3] - #21106
[4] - https://github.com/wso2-extensions/identity-governance/blob/v1.9.6/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/UserAccountRecoveryManager.java#L1070
[5] - https://github.com/wso2-extensions/identity-governance/blob/v1.9.6/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/store/JDBCRecoveryDataStore.java#L114-L153
Steps to Reproduce
init
request with the username as follows:recover
request using therecoveryCode
received from the above request:Note: This issue occurs intermittently. To reproduce it, you may need to restart the server multiple times, which changes the order of password managers in the source code section mentioned above.
Version
wso2is-7.0.0.83
Environment Details (with versions)
The text was updated successfully, but these errors were encountered: