From 40ed809db631149874864f216a106c43ea5df670 Mon Sep 17 00:00:00 2001
From: Jonas Hungershausen <jonas.hungershausen@ory.sh>
Date: Fri, 16 Feb 2024 10:10:11 +0100
Subject: [PATCH 1/2] fix: don't require code credential for MFA flows (#3753)

---
 internal/testhelpers/config.go                |  8 +++++++-
 selfservice/strategy/code/strategy_login.go   | 19 +++++++++++++++----
 .../strategy/code/strategy_login_test.go      |  3 ++-
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/internal/testhelpers/config.go b/internal/testhelpers/config.go
index b7a284767459..2a24709c0745 100644
--- a/internal/testhelpers/config.go
+++ b/internal/testhelpers/config.go
@@ -24,11 +24,17 @@ func UseConfigFile(t *testing.T, path string) *pflag.FlagSet {
 	return flags
 }
 
-func SetDefaultIdentitySchema(conf *config.Config, url string) {
+func SetDefaultIdentitySchema(conf *config.Config, url string) func() {
+	schemaUrl, _ := conf.DefaultIdentityTraitsSchemaURL(context.Background())
 	conf.MustSet(context.Background(), config.ViperKeyDefaultIdentitySchemaID, "default")
 	conf.MustSet(context.Background(), config.ViperKeyIdentitySchemas, config.Schemas{
 		{ID: "default", URL: url},
 	})
+	return func() {
+		conf.MustSet(context.Background(), config.ViperKeyIdentitySchemas, config.Schemas{
+			{ID: "default", URL: schemaUrl.String()},
+		})
+	}
 }
 
 // UseIdentitySchema registeres an identity schema in the config with a random ID and returns the ID
diff --git a/selfservice/strategy/code/strategy_login.go b/selfservice/strategy/code/strategy_login.go
index 5f7d04e395da..ac658e238dcb 100644
--- a/selfservice/strategy/code/strategy_login.go
+++ b/selfservice/strategy/code/strategy_login.go
@@ -293,10 +293,21 @@ func (s *Strategy) loginVerifyCode(ctx context.Context, r *http.Request, f *logi
 
 	p.Identifier = maybeNormalizeEmail(p.Identifier)
 
-	// Step 1: Get the identity
-	i, isFallback, err := s.findIdentityByIdentifier(ctx, p.Identifier)
-	if err != nil {
-		return nil, err
+	isFallback := false
+	var i *identity.Identity
+	if f.RequestedAAL > identity.AuthenticatorAssuranceLevel1 {
+		// Don't require the code credential if the user already has a session (e.g. this is an MFA flow)
+		sess, err := s.deps.SessionManager().FetchFromRequest(ctx, r)
+		if err != nil {
+			return nil, err
+		}
+		i = sess.Identity
+	} else {
+		// Step 1: Get the identity
+		i, isFallback, err = s.findIdentityByIdentifier(ctx, p.Identifier)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	loginCode, err := s.deps.LoginCodePersister().UseLoginCode(ctx, f.ID, i.ID, p.Code)
diff --git a/selfservice/strategy/code/strategy_login_test.go b/selfservice/strategy/code/strategy_login_test.go
index 06d811362978..19cac6d38375 100644
--- a/selfservice/strategy/code/strategy_login_test.go
+++ b/selfservice/strategy/code/strategy_login_test.go
@@ -586,7 +586,8 @@ func TestLoginCodeStrategy(t *testing.T) {
 				})
 
 				t.Run("case=should be able to get AAL2 session", func(t *testing.T) {
-					identity := createIdentity(ctx, t, false)
+					t.Cleanup(testhelpers.SetDefaultIdentitySchema(conf, "file://./stub/default.schema.json")) // doesn't have the code credential
+					identity := createIdentity(ctx, t, true)
 					var cl *http.Client
 					var f *oryClient.LoginFlow
 					if tc.apiType == ApiTypeNative {

From 72bdedacc539199ade947f5c7570fb11bd416688 Mon Sep 17 00:00:00 2001
From: ory-bot <60093411+ory-bot@users.noreply.github.com>
Date: Fri, 16 Feb 2024 09:56:17 +0000
Subject: [PATCH 2/2] autogen(docs): regenerate and update changelog

[skip ci]
---
 CHANGELOG.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a2e174ec48c..6142899fb09f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@
 
 **Table of Contents**
 
-- [ (2024-02-12)](#2024-02-12)
+- [ (2024-02-16)](#2024-02-16)
   - [Bug Fixes](#bug-fixes)
   - [Features](#features)
   - [Tests](#tests)
@@ -320,12 +320,15 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [](https://github.com/ory/kratos/compare/v1.1.0-pre.0...v) (2024-02-12)
+# [](https://github.com/ory/kratos/compare/v1.1.0-pre.0...v) (2024-02-16)
 
 ### Bug Fixes
 
 - Add consistency flag ([#3733](https://github.com/ory/kratos/issues/3733))
   ([fd79950](https://github.com/ory/kratos/commit/fd7995077307cc101550eda5d7724ea1f68fa98a))
+- Don't require code credential for MFA flows
+  ([#3753](https://github.com/ory/kratos/issues/3753))
+  ([40ed809](https://github.com/ory/kratos/commit/40ed809db631149874864f216a106c43ea5df670))
 - Http courier using should use lower case json
   ([#3740](https://github.com/ory/kratos/issues/3740))
   ([84149c4](https://github.com/ory/kratos/commit/84149c4b420ea89f0a16a579c017a8e7e1670204))