chore: code review for code strategy (magic code login)

selfservice/strategy/code/code_sender.go

@@ -70,14 +70,13 @@ func (s *Sender) SendCode(ctx context.Context, f flow.Flow, id *identity.Identit
 		WithSensitiveField("address", addresses).
 		Debugf("Preparing %s code", f.GetFlowName())
 
-	// We generate the code once and use it for all addresses. This is important because
-	// generating different codes per address would reduce the search space for an attacker.
-	//
-	// See also [this discussion](https://github.com/ory/kratos/pull/3378#discussion_r1305436968).
-	rawCode := GenerateCode()
-
 	// send to all addresses
 	for _, address := range addresses {
+		// We have to generate a unique code per address, or otherwise it is not possible to link which
+		// address was used to verify the code.
+		//
+		// See also [this discussion](https://github.com/ory/kratos/pull/3456#discussion_r1307560988).
+		rawCode := GenerateCode()
 
 		switch f.GetFlowName() {
 		case flow.RegistrationFlow:

test/e2e/cypress/integration/profiles/code/login/success.spec.ts

@@ -133,6 +133,9 @@ context("Login success with code method", () => {
             "traits.email2": email2,
           },
         })
+
+        // There are verification emails from the registration process in the inbox that we need to deleted
+        // for the assertions below to pass.
         cy.deleteMail({ atLeast: 1 })
 
         cy.visit(route)

test/e2e/cypress/integration/profiles/code/registration/error.spec.ts

@@ -36,13 +36,12 @@ context("Registration error messages with code method", () => {
         cy.get('input[name="traits.email"]').type(email)
         cy.submitCodeForm()
 
-        cy.url().should("contain", "registration")
         cy.get('[data-testid="ui/message/1040005"]').should(
           "contain",
           "An email containing a code has been sent to the email address you provided",
         )
 
-        cy.get(' input[name="code"]').type("invalid-code")
+        cy.get('input[name="code"]').type("invalid-code")
         cy.submitCodeForm()
 
         cy.get('[data-testid="ui/message/4040003"]').should(
@@ -56,12 +55,15 @@ context("Registration error messages with code method", () => {
 
         cy.get('input[name="traits.email"]').type(email)
         cy.submitCodeForm()
+        cy.get('[data-testid="ui/message/1040005"]').should(
+          "contain",
+          "An email containing a code has been sent to the email address you provided",
+        )
 
-        cy.url().should("contain", "registration")
         cy.get('input[name="traits.email"]')
           .clear()
           .type("[email protected]")
-        cy.get(' input[name="code"]').type("invalid-code")
+        cy.get('input[name="code"]').type("invalid-code")
         cy.submitCodeForm()
 
         cy.get('[data-testid="ui/message/4000030"]').should(
@@ -75,12 +77,14 @@ context("Registration error messages with code method", () => {
 
         cy.get('input[name="traits.email"]').type(email)
         cy.submitCodeForm()
-
-        cy.url().should("contain", "registration")
+        cy.get('[data-testid="ui/message/1040005"]').should(
+          "contain",
+          "An email containing a code has been sent to the email address you provided",
+        )
 
         cy.removeAttribute(['input[name="code"]'], "required")
-        cy.submitCodeForm()
 
+        cy.submitCodeForm()
         cy.get('[data-testid="ui/message/4000002"]').should(
           "contain",
           "Property code is missing",
@@ -105,11 +109,14 @@ context("Registration error messages with code method", () => {
         cy.visit(route)
 
         const email = gen.email()
-
         cy.get('input[name="traits.email"]').type(email)
+
         cy.submitCodeForm()
+        cy.get('[data-testid="ui/message/1040005"]').should(
+          "contain",
+          "An email containing a code has been sent to the email address you provided",
+        )
 
-        cy.url().should("contain", "registration")
         cy.getRegistrationCodeFromEmail(email).should((code) => {
           cy.get('input[name="code"]').type(code)
           cy.submitCodeForm()

test/e2e/cypress/integration/profiles/code/registration/success.spec.ts

@@ -38,21 +38,23 @@ context("Registration success with code method", () => {
       it("should be able to resend the registration code", async () => {
         const email = gen.email()
 
-        cy.get(` input[name='traits.email']`).type(email)
+        cy.get(`input[name='traits.email']`).type(email)
 
         cy.submitCodeForm()
-
-        cy.url().should("contain", "registration")
+        cy.get('[data-testid="ui/message/1040005"]').should(
+          "contain",
+          "An email containing a code has been sent to the email address you provided",
+        )
 
         cy.getRegistrationCodeFromEmail(email).should((code) =>
           cy.wrap(code).as("code1"),
         )
 
-        cy.get(` input[name='traits.email']`).should("have.value", email)
-        cy.get(` input[name='method'][value='code'][type='hidden']`).should(
+        cy.get(`input[name='traits.email']`).should("have.value", email)
+        cy.get(`input[name='method'][value='code'][type='hidden']`).should(
           "exist",
         )
-        cy.get(` button[name='resend'][value='code']`).click()
+        cy.get(`button[name='resend'][value='code']`).click()
 
         cy.getRegistrationCodeFromEmail(email).should((code) => {
           cy.wrap(code).as("code2")
@@ -61,8 +63,8 @@ context("Registration success with code method", () => {
         cy.get("@code1").then((code1) => {
           // previous code should not work
           cy.get('input[name="code"]').clear().type(code1.toString())
-          cy.submitCodeForm()
 
+          cy.submitCodeForm()
           cy.get('[data-testid="ui/message/4040003"]').should(
             "contain.text",
             "The registration code is invalid or has already been used. Please try again.",
@@ -89,10 +91,13 @@ context("Registration success with code method", () => {
         cy.get(` input[name='traits.email']`).type(email)
 
         cy.submitCodeForm()
+        cy.get('[data-testid="ui/message/1040005"]').should(
+          "contain",
+          "An email containing a code has been sent to the email address you provided",
+        )
 
-        cy.url().should("contain", "registration")
         cy.getRegistrationCodeFromEmail(email).should((code) => {
-          cy.get(` input[name=code]`).type(code)
+          cy.get(`input[name=code]`).type(code)
           cy.get("button[name=method][value=code]").click()
         })
 
@@ -109,29 +114,28 @@ context("Registration success with code method", () => {
         cy.setPostCodeRegistrationHooks([])
         const email = gen.email()
 
-        cy.get(` input[name='traits.email']`).type(email)
+        cy.get(`input[name='traits.email']`).type(email)
 
         cy.submitCodeForm()
+        cy.get('[data-testid="ui/message/1040005"]').should(
+          "contain",
+          "An email containing a code has been sent to the email address you provided",
+        )
 
-        cy.url().should("contain", "registration")
         cy.getRegistrationCodeFromEmail(email).should((code) => {
-          cy.get(` input[name=code]`).type(code)
+          cy.get(`input[name=code]`).type(code)
           cy.get("button[name=method][value=code]").click()
         })
 
-        cy.deleteMail({ atLeast: 1 })
-
         cy.visit(login)
-        cy.get(` input[name=identifier]`).type(email)
+        cy.get(`input[name=identifier]`).type(email)
         cy.get("button[name=method][value=code]").click()
 
         cy.getLoginCodeFromEmail(email).then((code) => {
-          cy.get(`input[name = code]`).type(code)
+          cy.get(`input[name=code]`).type(code)
           cy.get("button[name=method][value=code]").click()
         })
 
-        cy.deleteMail({ atLeast: 1 })
-
         cy.getSession().should((session) => {
           const { identity } = session
           expect(identity.id).to.not.be.empty
@@ -179,35 +183,40 @@ context("Registration success with code method", () => {
         cy.get(`input[name='traits.username']`).type(Math.random().toString(36))
 
         const email = gen.email()
-
         cy.get(`input[name='traits.email']`).type(email)
 
         const email2 = gen.email()
-
         cy.get(`input[name='traits.email2']`).type(email2)
 
         cy.submitCodeForm()
+        cy.get('[data-testid="ui/message/1040005"]').should(
+          "contain",
+          "An email containing a code has been sent to the email address you provided",
+        )
 
-        // intentionally use email 1 to verify the account
-        cy.url().should("contain", "registration")
-        cy.getRegistrationCodeFromEmail(email, { expectedCount: 2 }).should(
+        // intentionally use email 1 to sign up for the account
+        cy.getRegistrationCodeFromEmail(email, { expectedCount: 1 }).should(
           (code) => {
             cy.get(`input[name=code]`).type(code)
             cy.get("button[name=method][value=code]").click()
           },
         )
 
-        cy.deleteMail({ atLeast: 2 })
-
         cy.logout()
 
+        // There are verification emails from the registration process in the inbox that we need to deleted
+        // for the assertions below to pass.
+        cy.deleteMail({ atLeast: 1 })
+
         // Attempt to sign in with email 2 (should fail)
         cy.visit(login)
-        cy.get(` input[name=identifier]`).type(email2)
+        cy.get(`input[name=identifier]`).type(email2)
 
         cy.get("button[name=method][value=code]").click()
 
-        cy.getLoginCodeFromEmail(email2).should((code) => {
+        cy.getLoginCodeFromEmail(email2, {
+          expectedCount: 1,
+        }).should((code) => {
           cy.get(`input[name=code]`).type(code)
           cy.get("button[name=method][value=code]").click()
         })

test/e2e/cypress/support/commands.ts

@@ -384,7 +384,13 @@ Cypress.Commands.add(
 
 Cypress.Commands.add(
   "registerWithCode",
-  ({ email = gen.email(), code = undefined, traits = {}, query = {} } = {}) => {
+  ({
+    email = gen.email(),
+    code = undefined,
+    traits = {},
+    query = {},
+    expectedMailCount = 1,
+  } = {}) => {
     cy.clearAllCookies()
 
     cy.request({
@@ -416,7 +422,6 @@ Cypress.Commands.add(
         })
         .then(({ body }) => {
           if (!code) {
-            console.log("registration with code", body)
             expect(
               body.ui.nodes.find(
                 (f: UiNode) =>
@@ -426,14 +431,9 @@ Cypress.Commands.add(
               ).attributes.value,
             ).to.eq(email)
 
-            const expectedCount =
-              Object.keys(traits)
-                .map((k) => (k.includes("email") ? k : null))
-                .filter(Boolean).length + 1
-
             return cy
               .getRegistrationCodeFromEmail(email, {
-                expectedCount: expectedCount,
+                expectedCount: expectedMailCount,
               })
               .then((code) => {
                 return cy.request({
@@ -1260,7 +1260,7 @@ Cypress.Commands.add(
     const req = () =>
       cy.request(`${MAIL_API}/mail`).then((response) => {
         expect(response.body).to.have.property("mailItems")
-        const count = response.body.mailItems.length
+        let count = response.body.mailItems.length
         if (count === 0 && tries < 100) {
           tries++
           cy.wait(pollInterval)
@@ -1269,19 +1269,23 @@ Cypress.Commands.add(
 
         let mailItem: any
         if (email) {
-          mailItem = response.body.mailItems.find((m: any) =>
+          const filtered = response.body.mailItems.filter((m: any) =>
             m.toAddresses.includes(email),
           )
-          if (!mailItem) {
+
+          if (filtered.length === 0) {
             tries++
             cy.wait(pollInterval)
             return req()
           }
+
+          expect(filtered.length).to.equal(expectedCount)
+          mailItem = filtered[0]
         } else {
+          expect(count).to.equal(expectedCount)
           mailItem = response.body.mailItems[0]
         }
 
-        expect(count).to.equal(expectedCount)
         if (removeMail) {
           return cy.deleteMail({ atLeast: count }).then(() => {
             return Promise.resolve(mailItem)

test/e2e/cypress/support/index.d.ts

@@ -80,6 +80,7 @@ declare global {
         code?: string
         traits?: { [key: string]: any }
         query?: { [key: string]: string }
+        expectedMailCount?: number
       }): Chainable<Response<void>>
 
       /**
@@ -731,7 +732,7 @@ declare global {
        */
       getRegistrationCodeFromEmail(
         email: string,
-        opts?: { expectedCount: number },
+        opts?: { expectedCount: number; removeMail?: boolean },
       ): Chainable<string>
 
       /**