From b0fff7f49aea551f71c68f2cbd8176fe50fad358 Mon Sep 17 00:00:00 2001
From: UdeshAthukorala <udeshathukorala@gmail.com>
Date: Tue, 9 Jan 2024 14:30:36 +0530
Subject: [PATCH] Skip triggering email/mobile verification during email
 OTP/SMS OTP flows

---
 .../recovery/IdentityRecoveryConstants.java        | 14 ++++++++++++--
 .../handler/MobileNumberVerificationHandler.java   | 14 +++++++++++++-
 .../handler/UserEmailVerificationHandler.java      | 14 +++++++++++++-
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java
index 1bd55319c9..b497d99699 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java
@@ -844,7 +844,12 @@ public enum SkipEmailVerificationOnUpdateStates {
 
         /* State maintained to skip triggering an email verification when the update request contains other claims
         without the email address claim. */
-        SKIP_ON_INAPPLICABLE_CLAIMS
+        SKIP_ON_INAPPLICABLE_CLAIMS,
+
+        /* State maintained to skip triggering an email verification, when the email address was updated by user during
+         the Email OTP flow at the first login where the email address is not previously set. At the moment email
+         address was already verified during the email OTP verification. So no need to verify it again. */
+        SKIP_ON_EMAIL_OTP_FLOW
     }
 
     /**
@@ -946,6 +951,11 @@ public enum SkipMobileNumberVerificationOnUpdateStates {
 
         /* State maintained to skip triggering an SMS OTP verification when the update request contains other claims
         without the mobile number claim. */
-        SKIP_ON_INAPPLICABLE_CLAIMS
+        SKIP_ON_INAPPLICABLE_CLAIMS,
+
+        /* State maintained to skip triggering an SMS OTP verification, when the mobile number was updated by user
+        during the SMS OTP flow at the first login where the mobile number is not previously set. At the moment mobile
+        number was already verified during the SMS OTP verification. So no need to verify it again. */
+        SKIP_ON_SMS_OTP_FLOW
     }
 }
diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/MobileNumberVerificationHandler.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/MobileNumberVerificationHandler.java
index 23c020f104..4e3b7e7790 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/MobileNumberVerificationHandler.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/MobileNumberVerificationHandler.java
@@ -242,6 +242,16 @@ private void preSetUserClaimOnMobileNumberUpdate(Map<String, String> claims, Use
             return;
         }
 
+        /*
+        Within the SMS OTP flow, the mobile number is updated in the user profile after successfully verifying the
+        OTP. Therefore, the mobile number is already verified & no need to verify it again.
+         */
+        if (IdentityRecoveryConstants.SkipMobileNumberVerificationOnUpdateStates.SKIP_ON_SMS_OTP_FLOW.toString().equals
+                (Utils.getThreadLocalToSkipSendingSmsOtpVerificationOnUpdate())) {
+            invalidatePendingMobileVerification(user, userStoreManager, claims);
+            return;
+        }
+
         if (Utils.getThreadLocalToSkipSendingSmsOtpVerificationOnUpdate() != null) {
             Utils.unsetThreadLocalToSkipSendingSmsOtpVerificationOnUpdate();
         }
@@ -317,7 +327,9 @@ private void postSetUserClaimOnMobileNumberUpdate(User user, UserStoreManager us
                     SkipMobileNumberVerificationOnUpdateStates.SKIP_ON_EXISTING_MOBILE_NUM.toString().equals
                     (skipMobileNumVerificationOnUpdateState) && !IdentityRecoveryConstants
                     .SkipMobileNumberVerificationOnUpdateStates.SKIP_ON_INAPPLICABLE_CLAIMS.toString().equals
-                            (skipMobileNumVerificationOnUpdateState)) {
+                            (skipMobileNumVerificationOnUpdateState) && !IdentityRecoveryConstants
+                    .SkipMobileNumberVerificationOnUpdateStates.SKIP_ON_SMS_OTP_FLOW.toString().equals
+                    (skipMobileNumVerificationOnUpdateState)) {
 
                 String verificationPendingMobileNumClaim = getVerificationPendingMobileNumValue(userStoreManager, user);
 
diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserEmailVerificationHandler.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserEmailVerificationHandler.java
index 924cb9cbb1..221cc523ea 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserEmailVerificationHandler.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/handler/UserEmailVerificationHandler.java
@@ -475,6 +475,16 @@ private void preSetUserClaimsOnEmailUpdate(Map<String, String> claims, UserStore
             return;
         }
 
+        /*
+        Within the Email OTP flow, the email address is updated in the user profile after successfully verifying the
+        OTP. Therefore, the email is already verified & no need to verify it again.
+         */
+        if (IdentityRecoveryConstants.SkipEmailVerificationOnUpdateStates.SKIP_ON_EMAIL_OTP_FLOW.toString().equals
+                (Utils.getThreadLocalToSkipSendingEmailVerificationOnUpdate())) {
+            invalidatePendingEmailVerification(user, userStoreManager, claims);
+            return;
+        }
+
         if (Utils.getThreadLocalToSkipSendingEmailVerificationOnUpdate() != null) {
             Utils.unsetThreadLocalToSkipSendingEmailVerificationOnUpdate();
         }
@@ -541,7 +551,9 @@ private void postSetUserClaimsOnEmailUpdate(User user, UserStoreManager userStor
                     SkipEmailVerificationOnUpdateStates.SKIP_ON_EXISTING_EMAIL.toString().equals
                     (skipEmailVerificationOnUpdateState) && !IdentityRecoveryConstants
                     .SkipEmailVerificationOnUpdateStates.SKIP_ON_INAPPLICABLE_CLAIMS.toString().equals
-                            (skipEmailVerificationOnUpdateState)) {
+                            (skipEmailVerificationOnUpdateState) && !IdentityRecoveryConstants
+                    .SkipEmailVerificationOnUpdateStates.SKIP_ON_EMAIL_OTP_FLOW.toString().equals
+                    (skipEmailVerificationOnUpdateState)) {
 
                 String pendingVerificationEmailClaimValue = getPendingVerificationEmailValue(userStoreManager, user);