diff --git a/selfservice/strategy/multistep/strategy_login.go b/selfservice/strategy/multistep/strategy_login.go index 1a2f8074f374..3552c5f11095 100644 --- a/selfservice/strategy/multistep/strategy_login.go +++ b/selfservice/strategy/multistep/strategy_login.go @@ -29,7 +29,7 @@ func (s *Strategy) handleLoginError(w http.ResponseWriter, r *http.Request, f *l return err } -func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, _ *session.Session) (i *identity.Identity, err error) { +func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, _ *session.Session) (_ *identity.Identity, err error) { if !s.d.Config().SelfServiceLoginFlowTwoStepEnabled(r.Context()) { return nil, errors.WithStack(flow.ErrStrategyNotResponsible) } @@ -69,23 +69,20 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, } else if err != nil { // An error happened during lookup return nil, s.handleLoginError(w, r, f, &p, err) - } else { + } else if !s.d.Config().SecurityAccountEnumerationMitigate(r.Context()) { // Hydrate credentials if err := s.d.PrivilegedIdentityPool().HydrateIdentityAssociations(r.Context(), identityHint, identity.ExpandCredentials); err != nil { return nil, s.handleLoginError(w, r, f, &p, err) } - - // Add identity hint - opts = append(opts, login.WithIdentityHint(i)) } - strategies := s.d.LoginStrategies(r.Context()) - f.UI.ResetMessages() f.UI.Nodes.SetValueAttribute("identifier", p.Identifier) - // Get the identifier - for _, ls := range strategies { + // Add identity hint + opts = append(opts, login.WithIdentityHint(identityHint)) + + for _, ls := range s.d.LoginStrategies(r.Context()) { populator, ok := ls.(login.FormHydrator) if !ok { continue diff --git a/selfservice/strategy/passkey/passkey_login.go b/selfservice/strategy/passkey/passkey_login.go index f6b31668b1af..54b3f475ed38 100644 --- a/selfservice/strategy/passkey/passkey_login.go +++ b/selfservice/strategy/passkey/passkey_login.go @@ -419,7 +419,7 @@ func (s *Strategy) PopulateLoginMethodMultiStepSelection(r *http.Request, sr *lo count, err := s.CountActiveFirstFactorCredentials(o.IdentityHint.Credentials) if err != nil { return err - } else if count == 0 { + } else if count == 0 && !s.d.Config().SecurityAccountEnumerationMitigate(r.Context()) { return nil } } diff --git a/selfservice/strategy/password/login.go b/selfservice/strategy/password/login.go index d6817a40d625..6c04c9d31033 100644 --- a/selfservice/strategy/password/login.go +++ b/selfservice/strategy/password/login.go @@ -184,13 +184,13 @@ func (s *Strategy) PopulateLoginMethodMultiStepSelection(r *http.Request, sr *lo if o.IdentityHint == nil { // Identity was not found so add fields - } else if o.IdentityHint != nil { + } else { // If we have an identity hint we can perform identity credentials discovery and // hide this credential if it should not be included. count, err := s.CountActiveFirstFactorCredentials(o.IdentityHint.Credentials) if err != nil { return err - } else if count == 0 { + } else if count == 0 && !s.d.Config().SecurityAccountEnumerationMitigate(r.Context()) { return nil } } diff --git a/selfservice/strategy/webauthn/login.go b/selfservice/strategy/webauthn/login.go index adbd172c2469..93cbe38fadd6 100644 --- a/selfservice/strategy/webauthn/login.go +++ b/selfservice/strategy/webauthn/login.go @@ -382,7 +382,7 @@ func (s *Strategy) PopulateLoginMethodMultiStepSelection(r *http.Request, sr *lo count, err := s.CountActiveFirstFactorCredentials(o.IdentityHint.Credentials) if err != nil { return err - } else if count == 0 { + } else if count == 0 && !s.d.Config().SecurityAccountEnumerationMitigate(r.Context()) { return nil } }