search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.12k stars 954 forks source link

"The recovery token is invalid or has already been used" but it's not. #3971

Closed frederikhors closed 2 months ago

frederikhors commented 3 months ago

I'm having an issue with Kratos self hosted.

When I start a new recovery flow with email, I get the email and the link like:

https://custom_domain.com/self-service/recovery?flow=b12ff5cd-09a3-852c-8e27-ca5123489444&token=AtlocRrLsHIr8ZYMRIsFj8QmduKp

If for example I send this link on a chat or there is a mail system (maybe an ANTI-SPAM extension) that "navigates" this link the token is signed in the DB as "used" but it's not!

And when a user clicks that link it gets:

The recovery token is invalid or has already been used.

Is there a way to disable the "flag as used" option in Kratos?

This is tragic!

Version

1.2.0

frederikhors commented 2 months ago

No one? This is very tricky to fix by ourselves.

jonas-jonas commented 2 months ago

This is the reason, we introduced the code strategy. Is that an option for you?

frederikhors commented 2 months ago

Thank you.