Concat recovery flow id with the secret for EXTERNAL channel

wso2-extensions · Oct 9, 2023 · 4544a6c · 4544a6c
1 parent efa8f05
commit 4544a6c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 14 deletions.
diff --git a/.../carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java b/.../carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
@@ -295,9 +295,8 @@ public PasswordResetCodeDTO confirm(String otp, String confirmationCode, String
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_CODE.getCode(),
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE.getMessage(), code);
         } catch (IdentityRecoveryException e) {
-            /* This method is to support already initiated email link based recovery flows using the recovery V1 API,
-            which do not have recovery flow ids, and handle recovery flows when the notifications are externally
-            managed. */
+            /* This is a fallback logic to support already initiated email link based recovery flows and EXTERNAL
+            channel based recovery flows using the recovery V1 API, which do not have recovery flow ids. */
             return validateConfirmationCode(userAccountRecoveryManager, recoveryFlowId, tenantDomain);
         }
     }
@@ -893,9 +892,10 @@ private boolean isMinNoOfRecoveryQuestionsAnswered(String username, String tenan
     }
 
     /**
-     * This method is added to handle the already initiated email link based recovery flows which do not have
-     * recovery flow ids, which were initiated before moving to the Recovery V2 API. This also handles the
-     * recovery flows when the notifications are externally managed.
+     * This method is to validate the confirmation code when there's no recovery flow id. This is added as a fallback
+     * logic to handle the already initiated email link based recovery flows and EXTERNAL channel based recovery flows
+     * which do not have recovery flow ids, which were initiated before moving to the Recovery V2 API.
+     * This shouldn't be used for any other purpose and should be kept for sometime.
      *
      * @param userAccountRecoveryManager UserAccountRecoveryManager.
      * @param confirmationCode Confirmation code.

diff --git a/.../java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java b/.../java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
@@ -715,9 +715,8 @@ public User updateUserPassword(String code, String confirmationCode, String pass
                         IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE.getMessage(), code);
             }
         } catch (IdentityRecoveryException e) {
-            /* This method is to support already initiated email link based recovery flows using the recovery V1 API,
-            which do not have recovery flow ids, and handle recovery flows when the notifications are externally
-            managed. */
+            /* This is a fallback logic to support already initiated email link based recovery flows and EXTERNAL
+            channel based recovery flows using the recovery V1 API, which do not have recovery flow ids. */
             userRecoveryData = validateUserRecoveryDataFromCode(code, confirmationCode, password, properties);
         }
 
@@ -785,9 +784,10 @@ public User updateUserPassword(String code, String confirmationCode, String pass
     }
 
     /**
-     * This method is added to handle the already initiated email link based recovery flows which do not have
-     * recovery flow ids, which were initiated before moving to the Recovery V2 API. This also handles the
-     * recovery flows when the notifications are externally managed.
+     * This method is to validate user recovery data using the reset code when there's no recovery flow id.
+     * This is added as a fallback logic to handle the already initiated email link based recovery flows and EXTERNAL
+     * channel based recovery flows which do not have recovery flow ids, which were initiated before moving to the
+     * Recovery V2 API. This shouldn't be used for any other purpose and should be kept for sometime.
      *
      * @param code                       Password Reset code.
      * @param confirmationCode           Confirmation code.

diff --git a/....carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java b/....carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java
@@ -1204,8 +1204,9 @@ public static String generateSecretKey(String channel, String tenantDomain, Stri
      */
     public static String concatRecoveryFlowIdWithSecretKey(String recoveryFlowId, String notificationChannel,
                                                            String secretKey) {
-        if (recoveryFlowId != null && StringUtils.equals(notificationChannel,
-                NotificationChannels.EMAIL_CHANNEL.getChannelType())) {
+        if (recoveryFlowId != null && (StringUtils.equals(notificationChannel, NotificationChannels.EMAIL_CHANNEL.
+                getChannelType()) || StringUtils.equals(notificationChannel, NotificationChannels.EXTERNAL_CHANNEL.
+                getChannelType()))) {
             secretKey = recoveryFlowId + IdentityRecoveryConstants.CONFIRMATION_CODE_SEPARATOR + secretKey;
         }
         return secretKey;