ory · hperl · Apr 26, 2024 · Apr 25, 2024 · Apr 25, 2024 · Apr 26, 2024
@@ -205,8 +205,19 @@
 			if len(cred.Identifiers) > 0 {
 				identifierHint = cred.Identifiers[0]
 			}
-			duplicateCredErr.AddCredentialsType(cred.Type)
 			duplicateCredErr.SetIdentifierHint(identifierHint)
+
+			var cfg CredentialsPassword
+			if err := json.Unmarshal(cred.Config, &cfg); err != nil {
+				// just ignore this credential if the config is invalid
+				continue
+			}
+			if cfg.HashedPassword == "" {
+				// just ignore this credential if the hashed password is empty
+				continue
+			}
+
+			duplicateCredErr.AddCredentialsType(cred.Type)
 		case CredentialsTypeOIDC:
 			var cfg CredentialsOIDC
 			if err := json.Unmarshal(cred.Config, &cfg); err != nil {
@@ -232,6 +243,24 @@
 				identifierHint = cred.Identifiers[0]
 			}
 
+			for _, webauthn := range cfg.Credentials {
+				if webauthn.IsPasswordless {
+					duplicateCredErr.AddCredentialsType(cred.Type)
+					duplicateCredErr.SetIdentifierHint(identifierHint)
+					break
+				}
+			}
+		case CredentialsTypePasskey:
+			var cfg CredentialsWebAuthnConfig
+			if err := json.Unmarshal(cred.Config, &cfg); err != nil {
+				return errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to JSON decode identity credentials %s for identity %s.", cred.Type, found.ID))
+			}
+
+			identifierHint := foundConflictAddress
+			if len(cred.Identifiers) > 0 {
+				identifierHint = cred.Identifiers[0]
+			}
+
 			for _, webauthn := range cfg.Credentials {
 				if webauthn.IsPasswordless {
 					duplicateCredErr.AddCredentialsType(cred.Type)

@@ -223,6 +223,31 @@ func TestManager(t *testing.T) {
 					assert.Equal(t, verr.IdentifierHint(), email)
 				})
 
+				t.Run("type=oidc", func(t *testing.T) {
+					email := uuid.Must(uuid.NewV4()).String() + "@ory.sh"
+					creds := map[identity.CredentialsType]identity.Credentials{
+						identity.CredentialsTypeOIDC: {
+							Type: identity.CredentialsTypeOIDC,
+							// Identifiers in OIDC are not email addresses, but a unique user ID.
+							Identifiers: []string{"google:" + uuid.Must(uuid.NewV4()).String()},
+							Config:      sqlxx.JSONRawMessage(`{"providers":[{"provider": "google"},{"provider": "github"}]}`),
+						},
+					}
+
+					first := createIdentity(email, "email_creds", creds)
+					require.NoError(t, reg.IdentityManager().Create(context.Background(), first))
+
+					second := createIdentity(email, "email_creds", creds)
+					err := reg.IdentityManager().Create(context.Background(), second)
+					require.Error(t, err)
+
+					var verr = new(identity.ErrDuplicateCredentials)
+					assert.ErrorAs(t, err, &verr)
+					assert.ElementsMatch(t, []string{"oidc"}, verr.AvailableCredentials())
+					assert.ElementsMatch(t, []string{"google", "github"}, verr.AvailableOIDCProviders())
+					assert.Equal(t, email, verr.IdentifierHint())
+				})
+
 				t.Run("type=password+oidc+webauthn", func(t *testing.T) {
 					email := uuid.Must(uuid.NewV4()).String() + "@ory.sh"
 					creds := map[identity.CredentialsType]identity.Credentials{

@@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

@@ -267,9 +267,9 @@ INNER JOIN identity_credentials
         FROM identity_credential_types
         WHERE name = ?
      )
-WHERE identity_credentials.config ->> '%s' = ?
+WHERE identity_credentials.config ->> '%s' = ? AND identity_credentials.config ->> '%s' IS NOT NULL
   AND identities.nid = ?
-LIMIT 1`, jsonPath),
+LIMIT 1`, jsonPath, jsonPath),
 		identity.CredentialsTypeWebAuthn,
 		base64.StdEncoding.EncodeToString(userHandle),
 		p.NetworkID(ctx),

@@ -0,0 +1 @@
+DROP INDEX identity_credentials_config_user_handle_idx;
@@ -0,0 +1,4 @@
+CREATE INDEX identity_credentials_config_user_handle_idx
+    ON identity_credentials ((config ->> 'user_handle'))
+    WHERE config ->> 'user_handle' IS NOT NULL
+;
@@ -0,0 +1,3 @@
+CREATE INVERTED INDEX identity_credentials_user_handle_idx
+    ON identity_credentials (config)
+    WHERE config ->> 'user_handle' IS NOT NULL;
@@ -0,0 +1 @@
+DROP INDEX identity_credentials_user_handle_idx;
@@ -1285,7 +1285,7 @@ func TestStrategy(t *testing.T) {
 			var linkingLoginFlow struct{ ID string }
 			t.Run("step=should fail login and start a new login", func(t *testing.T) {
 				res, body := loginWithOIDC(t, client, loginFlow.ID, "valid")
-				assertUIError(t, res, body, "You tried signing in with [email protected] which is already in use by another account. You can sign in using social sign in, or your password. You can sign in using one of the following social sign in providers: Secondprovider.")
+				assertUIError(t, res, body, "You tried signing in with [email protected] which is already in use by another account. You can sign in using social sign in. You can sign in using one of the following social sign in providers: Secondprovider.")
 				linkingLoginFlow.ID = gjson.GetBytes(body, "id").String()
 				assert.NotEqual(t, loginFlow.ID.String(), linkingLoginFlow.ID, "should have started a new flow")
 			})

@@ -372,7 +372,7 @@ func TestRegistration(t *testing.T) {
 					assert.Contains(t, gjson.Get(actual, "ui.action").String(), fix.publicTS.URL+registration.RouteSubmitFlow, "%s", actual)
 					registrationhelpers.CheckFormContent(t, []byte(actual), "csrf_token", "traits.username")
 					assert.Equal(t,
-						"You tried signing in with "+email+" which is already in use by another account. You can sign in using your password.",
+						"You tried signing in with "+email+" which is already in use by another account. You can sign in using your passkey.",
 						gjson.Get(actual, "ui.messages.0.text").String(), "%s", actual)
 				})
 			}

@@ -438,7 +438,7 @@ func TestRegistration(t *testing.T) {
 					actual, _, _ = makeRegistration(t, f, values(email))
 					assert.Contains(t, gjson.Get(actual, "ui.action").String(), publicTS.URL+registration.RouteSubmitFlow, "%s", actual)
 					registrationhelpers.CheckFormContent(t, []byte(actual), node.WebAuthnRegisterTrigger, "csrf_token", "traits.username")
-					assert.Equal(t, "You tried signing in with "+email+" which is already in use by another account. You can sign in using your password, or your passkey or a security key.", gjson.Get(actual, "ui.messages.0.text").String(), "%s", actual)
+					assert.Equal(t, "You tried signing in with "+email+" which is already in use by another account. You can sign in using your passkey or a security key.", gjson.Get(actual, "ui.messages.0.text").String(), "%s", actual)
 				})
 			}
 		})

@@ -286,6 +286,8 @@ func NewErrorValidationDuplicateCredentialsWithHints(availableCredentialTypes []
 				humanReadable = append(humanReadable, "social sign in")
 			case "webauthn":
 				humanReadable = append(humanReadable, "your passkey or a security key")
+			case "passkey":
+				humanReadable = append(humanReadable, "your passkey")
 			}
 		}
 		if len(humanReadable) == 0 {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		DROP INDEX identity_credentials_config_user_handle_idx;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		DROP INDEX identity_credentials_user_handle_idx;