From 4544a6c2c9ba28b4b2fa8911ab07a426c969552a Mon Sep 17 00:00:00 2001
From: Rashmini <rashmini.dkn@gmail.com>
Date: Mon, 9 Oct 2023 13:21:22 +0530
Subject: [PATCH] Concat recovery flow id with the secret for EXTERNAL channel

---
 .../impl/password/PasswordRecoveryManagerImpl.java   | 12 ++++++------
 .../NotificationPasswordRecoveryManager.java         | 12 ++++++------
 .../wso2/carbon/identity/recovery/util/Utils.java    |  5 +++--
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
index f12522f9a8..7dde3f6d02 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
@@ -295,9 +295,8 @@ public PasswordResetCodeDTO confirm(String otp, String confirmationCode, String
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_CODE.getCode(),
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE.getMessage(), code);
         } catch (IdentityRecoveryException e) {
-            /* This method is to support already initiated email link based recovery flows using the recovery V1 API,
-            which do not have recovery flow ids, and handle recovery flows when the notifications are externally
-            managed. */
+            /* This is a fallback logic to support already initiated email link based recovery flows and EXTERNAL
+            channel based recovery flows using the recovery V1 API, which do not have recovery flow ids. */
             return validateConfirmationCode(userAccountRecoveryManager, recoveryFlowId, tenantDomain);
         }
     }
@@ -893,9 +892,10 @@ private boolean isMinNoOfRecoveryQuestionsAnswered(String username, String tenan
     }
 
     /**
-     * This method is added to handle the already initiated email link based recovery flows which do not have
-     * recovery flow ids, which were initiated before moving to the Recovery V2 API. This also handles the
-     * recovery flows when the notifications are externally managed.
+     * This method is to validate the confirmation code when there's no recovery flow id. This is added as a fallback
+     * logic to handle the already initiated email link based recovery flows and EXTERNAL channel based recovery flows
+     * which do not have recovery flow ids, which were initiated before moving to the Recovery V2 API.
+     * This shouldn't be used for any other purpose and should be kept for sometime.
      *
      * @param userAccountRecoveryManager UserAccountRecoveryManager.
      * @param confirmationCode Confirmation code.
diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
index aa19c6a60a..85faad57ec 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
@@ -715,9 +715,8 @@ public User updateUserPassword(String code, String confirmationCode, String pass
                         IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE.getMessage(), code);
             }
         } catch (IdentityRecoveryException e) {
-            /* This method is to support already initiated email link based recovery flows using the recovery V1 API,
-            which do not have recovery flow ids, and handle recovery flows when the notifications are externally
-            managed. */
+            /* This is a fallback logic to support already initiated email link based recovery flows and EXTERNAL
+            channel based recovery flows using the recovery V1 API, which do not have recovery flow ids. */
             userRecoveryData = validateUserRecoveryDataFromCode(code, confirmationCode, password, properties);
         }
 
@@ -785,9 +784,10 @@ public User updateUserPassword(String code, String confirmationCode, String pass
     }
 
     /**
-     * This method is added to handle the already initiated email link based recovery flows which do not have
-     * recovery flow ids, which were initiated before moving to the Recovery V2 API. This also handles the
-     * recovery flows when the notifications are externally managed.
+     * This method is to validate user recovery data using the reset code when there's no recovery flow id.
+     * This is added as a fallback logic to handle the already initiated email link based recovery flows and EXTERNAL
+     * channel based recovery flows which do not have recovery flow ids, which were initiated before moving to the
+     * Recovery V2 API. This shouldn't be used for any other purpose and should be kept for sometime.
      *
      * @param code                       Password Reset code.
      * @param confirmationCode           Confirmation code.
diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java
index 36692ba562..cdde41b271 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/util/Utils.java
@@ -1204,8 +1204,9 @@ public static String generateSecretKey(String channel, String tenantDomain, Stri
      */
     public static String concatRecoveryFlowIdWithSecretKey(String recoveryFlowId, String notificationChannel,
                                                            String secretKey) {
-        if (recoveryFlowId != null && StringUtils.equals(notificationChannel,
-                NotificationChannels.EMAIL_CHANNEL.getChannelType())) {
+        if (recoveryFlowId != null && (StringUtils.equals(notificationChannel, NotificationChannels.EMAIL_CHANNEL.
+                getChannelType()) || StringUtils.equals(notificationChannel, NotificationChannels.EXTERNAL_CHANNEL.
+                getChannelType()))) {
             secretKey = recoveryFlowId + IdentityRecoveryConstants.CONFIRMATION_CODE_SEPARATOR + secretKey;
         }
         return secretKey;