fix: prevent password init on email verification for external users (#8602)

# Which Problems Are Solved If a user is created through the login UI with an IdP and an unverified email, the user is prompted with the email verification and to set a password. This was unintentionally changed with #8291 # How the Problems Are Solved - Check if the user has any IdP linked when computing the EmailVerification step. # Additional Changes None # Additional Context - reported in a support request
2025-08-11 20:57:31 +00:00 · 2024-09-13 17:51:06 +02:00
parent 14383cfe8c
commit 8831b33013
2 changed files with 69 additions and 1 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -1092,7 +1092,7 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
 	}
 	if !user.IsEmailVerified {
 		steps = append(steps, &domain.VerifyEMailStep{
-			InitPassword: !user.PasswordSet,
+			InitPassword: !user.PasswordSet && len(idps.Links) == 0,
 		})
 	}
 	if user.UsernameChangeRequired {
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -1058,6 +1058,74 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]domain.NextStep{&domain.VerifyInviteStep{}},
 			nil,
 		},
 		{
 			"password not set (email not verified), verify email with password step",
 			fields{
 				userSessionViewProvider: &mockViewUserSession{},
 				userViewProvider: &mockViewUser{
 					PasswordInitRequired: true,
 				},
 				userEventProvider: &mockEventUser{},
 				lockoutPolicyProvider: &mockLockoutPolicy{
 					policy: &query.LockoutPolicy{
 						ShowFailures: true,
 					},
 				},
 				orgViewProvider:      &mockViewOrg{State: domain.OrgStateActive},
 				idpUserLinksProvider: &mockIDPUserLinks{},
 			},
 			args{
 				&domain.AuthRequest{
 					UserID: "UserID",
 					LoginPolicy: &domain.LoginPolicy{
 						AllowUsernamePassword: true,
 					},
 				},
 				false,
 			},
 			[]domain.NextStep{&domain.VerifyEMailStep{InitPassword: true}},
 			nil,
 		},
 		{
 			"password not set, but idp, email not verified, verify email step",
 			fields{
 				userSessionViewProvider: &mockViewUserSession{
 					ExternalLoginVerification: testNow.Add(-5 * time.Minute),
 				},
 				userViewProvider:  &mockViewUser{},
 				userEventProvider: &mockEventUser{},
 				lockoutPolicyProvider: &mockLockoutPolicy{
 					policy: &query.LockoutPolicy{
 						ShowFailures: true,
 					},
 				},
 				orgViewProvider: &mockViewOrg{State: domain.OrgStateActive},
 				idpUserLinksProvider: &mockIDPUserLinks{
 					[]*query.IDPUserLink{
 						{
 							IDPID:            "idpID",
 							UserID:           "userID",
 							IDPName:          "idpName",
 							ProvidedUserID:   "providedUserID",
 							ProvidedUsername: "providedUsername",
 						},
 					},
 				},
 			},
 			args{
 				&domain.AuthRequest{
 					UserID: "UserID",
 					LoginPolicy: &domain.LoginPolicy{
 						AllowUsernamePassword:      true,
 						ExternalLoginCheckLifetime: 10 * 24 * time.Hour,
 					},
 					SelectedIDPConfigID: "idpID",
 				},
 				false,
 			},
 			[]domain.NextStep{&domain.VerifyEMailStep{}},
 			nil,
 		},
 		{
 			"password not set (email not verified), init password step",
 			fields{