Hi, when I configured some required actions like so:
- password reset (priority 1)
- verify email (priority 2)
- terms and conditions (priority 3)
When the user triggers a password reset (via forgot password) I expect the following order:
action | context |
---|---|
password reset | session |
verify email | user |
terms and conditions | user |
but instead they execute in the following order:
action | context |
---|---|
verify email | user |
terms and conditions | user |
password reset | session |
This seems like a bug to me and I looked into the code and it seems to go
wrong here
Stream<String> requiredActions = user.getRequiredActionsStream();
// Here all the user required actions are executed, even if there are higher priority actions stored in the session...
Response action = executionActions(session, authSession, request, event, realm, user, requiredActions);
if (action != null) return action;
//... which are executed afterwards
action = executionActions(session, authSession, request, event, realm, user, authSession.getRequiredActions().stream());
if (action != null) return action;
One potential way of fixing this would be to concatenate user required actions and session required actions to execute them in one step.
The only obvious difference would be, that we can’t return early after executing the user actions, but I don’t understand when that is actually desired.
Could you provide some context and would you like me to prepare a PR?