From becd0fa842350b24d825ab21c8671a7d1cb1501e Mon Sep 17 00:00:00 2001
From: shanggeeth <shanggeethk@gmail.com>
Date: Mon, 16 Dec 2024 11:16:40 +0530
Subject: [PATCH] Skip setting the verified claim for notification less
 password recovery flows

---
 .../NotificationPasswordRecoveryManager.java     | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
index 2948ef6b4..2b4b30871 100644
--- a/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
+++ b/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
@@ -936,7 +936,7 @@ private HashMap<String, String> getAccountStateClaims(UserRecoveryData userRecov
         Enum<RecoveryScenarios> recoveryScenario = userRecoveryData.getRecoveryScenario();
         // If notifications are internally managed we try to set the verified claims since this is an opportunity
         // to verify a user channel.
-        if (isNotificationInternallyManaged) {
+        if (isNotificationInternallyManaged && !isNotificationLessRecoveryMethod(recoveryScenario)) {
             if (NotificationChannels.EMAIL_CHANNEL.getChannelType().equals(userRecoveryData.getRemainingSetIds())) {
                 userClaims.put(NotificationChannels.EMAIL_CHANNEL.getVerifiedClaimUrl(), Boolean.TRUE.toString());
             } else if (NotificationChannels.SMS_CHANNEL.getChannelType().equals(userRecoveryData.getRemainingSetIds())) {
@@ -978,6 +978,20 @@ private HashMap<String, String> getAccountStateClaims(UserRecoveryData userRecov
         return userClaims;
     }
 
+    /**
+     * Check whether the recovery scenario is notification based.
+     * A set of recovery scenarios such as question based password recovery, and
+     * password reset on password expiry does not require sending notifications to the user.
+     *
+     * @param recoveryScenario Recovery scenario
+     * @return True if the recovery scenario does not require sending notifications
+     */
+    private boolean isNotificationLessRecoveryMethod(Enum recoveryScenario) {
+
+        return RecoveryScenarios.QUESTION_BASED_PWD_RECOVERY.equals(recoveryScenario) ||
+                RecoveryScenarios.PASSWORD_EXPIRY.equals(recoveryScenario);
+    }
+
     /**
      * Validate Tenant domain of the user with the domain in the context.
      *