Verification & Account Recovery not working

[Leon0402]

Hi,

I implemented Ory Kratos with my own vue3 frontend and noticed that verification & account recovery were not working. To be sure it is no problem with my implementation, I checked it with the official react sample.

I thus cloned https://github.com/ory/kratos-selfservice-ui-react-nextjs, created a tunnel with my Ory Network instance to local host and set the ORY_SDK_URL appropriately. I can acess the frontend and stuff like registration, login, logout, settings are working as expected (same in my vue implementation).

The first issue is verification though. I can access the verification screen and put in my email in (or use the verification email that you automatically get after a registration):

In the email I click the link, which redirects me first to Ory Network and then to my frontend. The url is localhost:3000/verification?flow=<Some flow>. localhost:3000/verification is also what I configured in my Ory Network settings.

But then it just removes the flow from the url and reloads the page. Which leads to the normal verification screen:

According to some debugging I always get a cors mismatch problem or something like that. So it just reload according to the code

    if (flowId) {
      ory
        .getSelfServiceVerificationFlow(String(flowId))
        .then(({ data }) => {
          setFlow(data)
        })
        .catch((err: AxiosError) => {
          switch (err.response?.status) {
            case 410:
            // Status code 410 means the request has expired - so let's load a fresh flow!
            case 403:
              // Status code 403 implies some other issue (e.g. CSRF) - let's reload!
              return router.push('/verification')
          }

          throw err
        })
      return
    }

With account recovers the process is similar. I can put in my email and get the email for recovery, that's all working. When clicking on it it redirects me to localhost:3000/recovery?flow=<some flow> in the end. But then I do get a 401 not authenticated error. According to the documentation recovery should actually log me in, but it seems it doesn't.

I believe the issue with recovery could be that my account is not verified and therefore recovery is not allowed? I can't test this though, because account verification is not working :-) But if that's the issue I wonder if there would be a better way to handle this scenario and show a proper error message.

Edit: According to the documentation, recovery should work without prior activation and will actually lead to activation

[aeneasr]

Thank you for the report!

One issue recovery and verification right now is that we need to send a link to a browser URL in the email. That's the link the user clicks. However, that link is linked to your primary domain (oryapis.com, or your custom domain). It's never localhost. But it should be localhost!

We're working on a new strategy in Q3/Q4 which will use a code sent to the email instead of a link, that way there are no URLs that need to be clicked :)

[Leon0402]

Very cool! Can you post a link to the PR if it's already online or post one if it is

[aeneasr]

Unfortunately not since that code is in a proprietary repository as it only affects Ory Network system

[Leon0402]

Really? Isn't the problem the same with every sever setup. If I have Ory Kratos somewhere deployed and use ory tunnel to create the proxy for the dev setup, it will have the same issue or not?

[aeneasr]

In that case it is much easier to deploy Ory Kratos locally. The Ory Proxy and Ory Tunnel are using opinionated code that only works in our cloud system and we optimize it for Ory Network