GO-2024-3160: Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos

link

package

v0.9.0-alpha.1.pre.0 Latest Latest Go to latest Published: Mar 21, 2022 License: Apache-2.0 Imports: 34 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ory/kratos

Documentation ¶

Index ¶

Constants
Variables
type FlowMethod
type RecoveryToken
- func NewRecoveryToken(identityID uuid.UUID, expiresIn time.Duration) *RecoveryToken
- func NewSelfServiceRecoveryToken(address *identity.RecoveryAddress, f *recovery.Flow, expiresIn time.Duration) *RecoveryToken
- func (RecoveryToken) TableName(ctx context.Context) string
- func (f *RecoveryToken) Valid() error
type RecoveryTokenPersistenceProvider
type RecoveryTokenPersister
type Sender
- func NewSender(r senderDependencies) *Sender
- func (s *Sender) SendRecoveryLink(ctx context.Context, r *http.Request, f *recovery.Flow, ...) error
- func (s *Sender) SendRecoveryTokenTo(ctx context.Context, f *recovery.Flow, i *identity.Identity, ...) error
- func (s *Sender) SendVerificationLink(ctx context.Context, f *verification.Flow, via identity.VerifiableAddressType, ...) error
- func (s *Sender) SendVerificationTokenTo(ctx context.Context, f *verification.Flow, i *identity.Identity, ...) error
type SenderProvider
type Strategy
- func NewStrategy(d strategyDependencies) *Strategy
- func (s *Strategy) HandleRecoveryError(w http.ResponseWriter, r *http.Request, req *recovery.Flow, ...) error
- func (s *Strategy) PopulateRecoveryMethod(r *http.Request, f *recovery.Flow) error
- func (s *Strategy) PopulateVerificationMethod(r *http.Request, f *verification.Flow) error
- func (s *Strategy) Recover(w http.ResponseWriter, r *http.Request, f *recovery.Flow) (err error)
- func (s *Strategy) RecoveryNodeGroup() node.Group
- func (s *Strategy) RecoveryStrategyID() string
- func (s *Strategy) RegisterAdminRecoveryRoutes(admin *x.RouterAdmin)
- func (s *Strategy) RegisterAdminVerificationRoutes(admin *x.RouterAdmin)
- func (s *Strategy) RegisterPublicRecoveryRoutes(public *x.RouterPublic)
- func (s *Strategy) RegisterPublicVerificationRoutes(public *x.RouterPublic)
- func (s *Strategy) VerificationNodeGroup() node.Group
- func (s *Strategy) VerificationStrategyID() string
- func (s *Strategy) Verify(w http.ResponseWriter, r *http.Request, f *verification.Flow) (err error)
type VerificationToken
- func NewSelfServiceVerificationToken(address *identity.VerifiableAddress, f *verification.Flow, ...) *VerificationToken
- func (VerificationToken) TableName(ctx context.Context) string
- func (f *VerificationToken) Valid() error
type VerificationTokenPersistenceProvider
type VerificationTokenPersister

Constants ¶

View Source

const (
	RouteAdminCreateRecoveryLink = "/recovery/link"
)

Variables ¶

View Source

var ErrUnknownAddress = errors.New("verification requested for unknown address")

Functions ¶

This section is empty.

Types ¶

type FlowMethod ¶

type FlowMethod struct {
	*container.Container
}

FlowMethod contains the configuration for this selfservice strategy.

type RecoveryToken ¶

type RecoveryToken struct {
	// ID represents the tokens's unique ID.
	//
	// required: true
	// type: string
	// format: uuid
	ID uuid.UUID `json:"id" db:"id" faker:"-"`

	// Token represents the recovery token. It can not be longer than 64 chars!
	Token string `json:"-" db:"token"`

	// RecoveryAddress links this token to a recovery address.
	// required: true
	RecoveryAddress *identity.RecoveryAddress `json:"recovery_address" belongs_to:"identity_recovery_addresses" fk_id:"RecoveryAddressID"`

	// ExpiresAt is the time (UTC) when the token expires.
	// required: true
	ExpiresAt time.Time `json:"expires_at" faker:"time_type" db:"expires_at"`

	// IssuedAt is the time (UTC) when the token was issued.
	// required: true
	IssuedAt time.Time `json:"issued_at" faker:"time_type" db:"issued_at"`

	// CreatedAt is a helper struct field for gobuffalo.pop.
	CreatedAt time.Time `json:"-" faker:"-" db:"created_at"`
	// UpdatedAt is a helper struct field for gobuffalo.pop.
	UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"`
	// RecoveryAddressID is a helper struct field for gobuffalo.pop.
	RecoveryAddressID *uuid.UUID `json:"-" faker:"-" db:"identity_recovery_address_id"`
	// FlowID is a helper struct field for gobuffalo.pop.
	FlowID     uuid.NullUUID `json:"-" faker:"-" db:"selfservice_recovery_flow_id"`
	NID        uuid.UUID     `json:"-"  faker:"-" db:"nid"`
	IdentityID uuid.UUID     `json:"identity_id"  faker:"-" db:"identity_id"`
}

func NewRecoveryToken ¶

func NewRecoveryToken(identityID uuid.UUID, expiresIn time.Duration) *RecoveryToken

func NewSelfServiceRecoveryToken ¶

func NewSelfServiceRecoveryToken(address *identity.RecoveryAddress, f *recovery.Flow, expiresIn time.Duration) *RecoveryToken

func (RecoveryToken) TableName ¶

func (RecoveryToken) TableName(ctx context.Context) string

func (*RecoveryToken) Valid ¶

func (f *RecoveryToken) Valid() error

type RecoveryTokenPersistenceProvider ¶

type RecoveryTokenPersistenceProvider interface {
	RecoveryTokenPersister() RecoveryTokenPersister
}

type RecoveryTokenPersister ¶

type RecoveryTokenPersister interface {
	CreateRecoveryToken(ctx context.Context, token *RecoveryToken) error
	UseRecoveryToken(ctx context.Context, token string) (*RecoveryToken, error)
	DeleteRecoveryToken(ctx context.Context, token string) error
}

type Sender ¶

type Sender struct {
	// contains filtered or unexported fields
}

func NewSender ¶

func NewSender(r senderDependencies) *Sender

func (*Sender) SendRecoveryLink ¶

func (s *Sender) SendRecoveryLink(ctx context.Context, r *http.Request, f *recovery.Flow, via identity.VerifiableAddressType, to string) error

SendRecoveryLink sends a recovery link to the specified address. If the address does not exist in the store, an email is still being sent to prevent account enumeration attacks. In that case, this function returns the ErrUnknownAddress error.

func (*Sender) SendRecoveryTokenTo ¶

func (s *Sender) SendRecoveryTokenTo(ctx context.Context, f *recovery.Flow, i *identity.Identity, address *identity.RecoveryAddress, token *RecoveryToken) error

func (*Sender) SendVerificationLink ¶

func (s *Sender) SendVerificationLink(ctx context.Context, f *verification.Flow, via identity.VerifiableAddressType, to string) error

SendVerificationLink sends a verification link to the specified address. If the address does not exist in the store, an email is still being sent to prevent account enumeration attacks. In that case, this function returns the ErrUnknownAddress error.

func (*Sender) SendVerificationTokenTo ¶

func (s *Sender) SendVerificationTokenTo(ctx context.Context, f *verification.Flow, i *identity.Identity, address *identity.VerifiableAddress, token *VerificationToken) error

type SenderProvider ¶

type SenderProvider interface {
	LinkSender() *Sender
}

type Strategy ¶

type Strategy struct {
	// contains filtered or unexported fields
}

func NewStrategy ¶

func NewStrategy(d strategyDependencies) *Strategy

func (*Strategy) HandleRecoveryError ¶

func (s *Strategy) HandleRecoveryError(w http.ResponseWriter, r *http.Request, req *recovery.Flow, body *recoverySubmitPayload, err error) error

func (*Strategy) PopulateRecoveryMethod ¶

func (s *Strategy) PopulateRecoveryMethod(r *http.Request, f *recovery.Flow) error

func (*Strategy) PopulateVerificationMethod ¶

func (s *Strategy) PopulateVerificationMethod(r *http.Request, f *verification.Flow) error

func (*Strategy) Recover ¶

func (s *Strategy) Recover(w http.ResponseWriter, r *http.Request, f *recovery.Flow) (err error)

func (*Strategy) RecoveryNodeGroup ¶

func (s *Strategy) RecoveryNodeGroup() node.Group

func (*Strategy) RecoveryStrategyID ¶

func (s *Strategy) RecoveryStrategyID() string

func (*Strategy) RegisterAdminRecoveryRoutes ¶

func (s *Strategy) RegisterAdminRecoveryRoutes(admin *x.RouterAdmin)

func (*Strategy) RegisterAdminVerificationRoutes ¶

func (s *Strategy) RegisterAdminVerificationRoutes(admin *x.RouterAdmin)

func (*Strategy) RegisterPublicRecoveryRoutes ¶

func (s *Strategy) RegisterPublicRecoveryRoutes(public *x.RouterPublic)

func (*Strategy) RegisterPublicVerificationRoutes ¶

func (s *Strategy) RegisterPublicVerificationRoutes(public *x.RouterPublic)

func (*Strategy) VerificationNodeGroup ¶

func (s *Strategy) VerificationNodeGroup() node.Group

func (*Strategy) VerificationStrategyID ¶

func (s *Strategy) VerificationStrategyID() string

func (*Strategy) Verify ¶

func (s *Strategy) Verify(w http.ResponseWriter, r *http.Request, f *verification.Flow) (err error)

type VerificationToken ¶

type VerificationToken struct {
	// ID represents the tokens's unique ID.
	//
	// required: true
	// type: string
	// format: uuid
	ID uuid.UUID `json:"id" db:"id" faker:"-"`

	// Token represents the verification token. It can not be longer than 64 chars!
	Token string `json:"-" db:"token"`

	// VerifiableAddress links this token to a verification address.
	// required: true
	VerifiableAddress *identity.VerifiableAddress `json:"verification_address" belongs_to:"identity_verifiable_addresses" fk_id:"VerificationAddVerifiableAddressIDressID"`

	// ExpiresAt is the time (UTC) when the token expires.
	// required: true
	ExpiresAt time.Time `json:"expires_at" faker:"time_type" db:"expires_at"`

	// IssuedAt is the time (UTC) when the token was issued.
	// required: true
	IssuedAt time.Time `json:"issued_at" faker:"time_type" db:"issued_at"`

	// CreatedAt is a helper struct field for gobuffalo.pop.
	CreatedAt time.Time `json:"-" faker:"-" db:"created_at"`
	// UpdatedAt is a helper struct field for gobuffalo.pop.
	UpdatedAt time.Time `json:"-" faker:"-" db:"updated_at"`
	// VerifiableAddressID is a helper struct field for gobuffalo.pop.
	VerifiableAddressID uuid.UUID `json:"-" faker:"-" db:"identity_verifiable_address_id"`
	// FlowID is a helper struct field for gobuffalo.pop.
	FlowID uuid.NullUUID `json:"-" faker:"-" db:"selfservice_verification_flow_id"`
	NID    uuid.UUID     `json:"-"  faker:"-" db:"nid"`
}

func NewSelfServiceVerificationToken ¶

func NewSelfServiceVerificationToken(address *identity.VerifiableAddress, f *verification.Flow, expiresIn time.Duration) *VerificationToken

func (VerificationToken) TableName ¶

func (VerificationToken) TableName(ctx context.Context) string

func (*VerificationToken) Valid ¶

func (f *VerificationToken) Valid() error

type VerificationTokenPersistenceProvider ¶

type VerificationTokenPersistenceProvider interface {
	VerificationTokenPersister() VerificationTokenPersister
}

type VerificationTokenPersister ¶

type VerificationTokenPersister interface {
	CreateVerificationToken(ctx context.Context, token *VerificationToken) error
	UseVerificationToken(ctx context.Context, token string) (*VerificationToken, error)
	DeleteVerificationToken(ctx context.Context, token string) error
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
test

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL