Hook `require_verified_address`: option to require all of the addresses to be verified

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.

Apache License 2.0

11.32k stars 963 forks source link

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

At the moment require_verified_address requires at least one of the addresses to be verified:
https://github.com/ory/kratos/blob/master/selfservice/hook/address_verifier.go#L39-L49
E.g. it's impossible to require both phone and email to be verified (for example).

Describe your ideal solution

Add an option to hook config to require all of the addresses to be verified.

Workarounds or alternatives

Version

1.2.0

Additional Context

No response

ory / kratos