Account recovery api v2 returns 500 when invalid channel id added in the request body in recovery api call.

[Malith-19]

Describe the issue: The account recovery v2 returns 500 status code when user set the invalid channel id in the request body of the /recovery/password/recover. This should return 400 since the issue is from the invalid request body.

How to reproduce:

1. Try username/password init api call and get a recovery code for the recovery by following api call.

curl --location 'https://localhost:9443/api/users/v2/recovery/password/init' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
  "claims": [
    {
      "uri": "http://wso2.org/claims/username",
      "value": "<username>"
    }
  ]
}'

3. Then use an invalid channel id in the recovery api call.

curl --location 'https://localhost:9443/api/users/v2/recovery/password/recover' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
  "recoveryCode": <recovery_code from the previous api call>,
  "channelId": <invalid channel id>
}'

Current behavior

{
    "code": "UAR-10004",
    "message": "Internal server error",
    "description": "Channel ID does not exist",
    "traceId": "455ba900-e59a-4398-9a94-cb85a4994581"
}

Expected behavior: Status code should be changed to 400.

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: 7.1.0-m3
• OS: Mac
• Database: [e.g., MySQL, H2]
• Userstore: [e.g., LDAP, JDBC]

---

Optional Fields

Related issues:

Suggested labels:

[kumardeepak5]

hi @Malith-19 are you currently working on this issue? I’d like to contribute. Could you please confirm?

[Malith-19]

Hi @kumardeepak5, No I'm not working on this issue and you can start working.

[kumardeepak5]

Hi @Malith-19 , just a gentle reminder to review the related PR.