feat: do not automatically add verification hook

David-Wobrock · David-Wobrock · commit 5eac7361473b · 2025-03-19T10:35:03.000+01:00
Instead, it should be configured explicitly if we want emails to be sent during registration.

In the current state, this is a breaking change.
diff --git a/driver/registry_default_registration.go b/driver/registry_default_registration.go
@@ -26,19 +26,13 @@ func (m *RegistryDefault) PostRegistrationPrePersistHooks(ctx context.Context, c
 }
 
 func (m *RegistryDefault) PostRegistrationPostPersistHooks(ctx context.Context, credentialsType identity.CredentialsType) (b []registration.PostHookPostPersistExecutor) {
-	initialHookCount := 0
-	if m.Config().SelfServiceFlowVerificationEnabled(ctx) {
-		b = append(b, m.HookVerifier())
-		initialHookCount = 1
-	}
-
 	for _, v := range m.getHooks(string(credentialsType), m.Config().SelfServiceFlowRegistrationAfterHooks(ctx, string(credentialsType))) {
 		if hook, ok := v.(registration.PostHookPostPersistExecutor); ok {
 			b = append(b, hook)
 		}
 	}
 
-	if len(b) == initialHookCount {
+	if len(b) == 0 {
 		// since we don't want merging hooks defined in a specific strategy and
 		// global hooks are added only if no strategy specific hooks are defined
 		for _, v := range m.getHooks(config.HookGlobal, m.Config().SelfServiceFlowRegistrationAfterHooks(ctx, config.HookGlobal)) {
diff --git a/driver/registry_default_settings.go b/driver/registry_default_settings.go
@@ -29,19 +29,13 @@ func (m *RegistryDefault) PreSettingsHooks(ctx context.Context) (b []settings.Pr
 }
 
 func (m *RegistryDefault) PostSettingsPostPersistHooks(ctx context.Context, settingsType string) (b []settings.PostHookPostPersistExecutor) {
-	initialHookCount := 0
-	if m.Config().SelfServiceFlowVerificationEnabled(ctx) {
-		b = append(b, m.HookVerifier())
-		initialHookCount = 1
-	}
-
 	for _, v := range m.getHooks(settingsType, m.Config().SelfServiceFlowSettingsAfterHooks(ctx, settingsType)) {
 		if hook, ok := v.(settings.PostHookPostPersistExecutor); ok {
 			b = append(b, hook)
 		}
 	}
 
-	if len(b) == initialHookCount {
+	if len(b) == 0 {
 		// since we don't want merging hooks defined in a specific strategy and global hooks
 		// global hooks are added only if no strategy specific hooks are defined
 		for _, v := range m.getHooks(config.HookGlobal, m.Config().SelfServiceFlowSettingsAfterHooks(ctx, config.HookGlobal)) {
diff --git a/driver/registry_default_test.go b/driver/registry_default_test.go
@@ -263,11 +263,24 @@ func TestDriverDefault_Hooks(t *testing.T) {
 			{
 				uc: "Only session hook configured for password strategy",
 				config: map[string]any{
-					config.ViperKeySelfServiceVerificationEnabled: true,
 					config.ViperKeySelfServiceRegistrationAfter + ".password.hooks": []map[string]any{
 						{"hook": "session"},
 					},
 				},
+				expect: func(reg *driver.RegistryDefault) []registration.PostHookPostPersistExecutor {
+					return []registration.PostHookPostPersistExecutor{
+						hook.NewSessionIssuer(reg),
+					}
+				},
+			},
+			{
+				uc: "Session hook and verification hook configured for password strategy",
+				config: map[string]any{
+					config.ViperKeySelfServiceRegistrationAfter + ".password.hooks": []map[string]any{
+						{"hook": "verification"},
+						{"hook": "session"},
+					},
+				},
 				expect: func(reg *driver.RegistryDefault) []registration.PostHookPostPersistExecutor {
 					return []registration.PostHookPostPersistExecutor{
 						hook.NewVerifier(reg),
@@ -278,15 +291,13 @@ func TestDriverDefault_Hooks(t *testing.T) {
 			{
 				uc: "A session hook and a web_hook are configured for password strategy",
 				config: map[string]any{
-					config.ViperKeySelfServiceVerificationEnabled: true,
 					config.ViperKeySelfServiceRegistrationAfter + ".password.hooks": []map[string]any{
 						{"hook": "web_hook", "config": map[string]any{"headers": map[string]string{"X-Custom-Header": "test"}, "url": "foo", "method": "POST", "body": "bar"}},
 						{"hook": "session"},
 					},
 				},
 				expect: func(reg *driver.RegistryDefault) []registration.PostHookPostPersistExecutor {
 					return []registration.PostHookPostPersistExecutor{
-						hook.NewVerifier(reg),
 						hook.NewWebHook(reg, json.RawMessage(`{"body":"bar","headers":{"X-Custom-Header":"test"},"method":"POST","url":"foo"}`)),
 						hook.NewSessionIssuer(reg),
 					}
@@ -317,11 +328,9 @@ func TestDriverDefault_Hooks(t *testing.T) {
 					config.ViperKeySelfServiceRegistrationAfter + ".hooks": []map[string]any{
 						{"hook": "web_hook", "config": map[string]any{"url": "bar", "method": "POST", "headers": map[string]string{"X-Custom-Header": "test"}}},
 					},
-					config.ViperKeySelfServiceVerificationEnabled: true,
 				},
 				expect: func(reg *driver.RegistryDefault) []registration.PostHookPostPersistExecutor {
 					return []registration.PostHookPostPersistExecutor{
-						hook.NewVerifier(reg),
 						hook.NewWebHook(reg, json.RawMessage(`{"headers":{"X-Custom-Header":"test"},"method":"GET","url":"foo"}`)),
 						hook.NewSessionIssuer(reg),
 					}
@@ -553,7 +562,9 @@ func TestDriverDefault_Hooks(t *testing.T) {
 			{
 				uc: "Only verify hook configured for the strategy",
 				config: map[string]any{
-					config.ViperKeySelfServiceVerificationEnabled: true,
+					config.ViperKeySelfServiceSettingsAfter + ".profile.hooks": []map[string]any{
+						{"hook": "verification"},
+					},
 					// I think this is a bug as there is a hook named verify defined for both profile and password
 					// strategies. Instead of using it, the code makes use of the property used above and which
 					// is defined in an entirely different flow (verification).
@@ -570,11 +581,9 @@ func TestDriverDefault_Hooks(t *testing.T) {
 					config.ViperKeySelfServiceSettingsAfter + ".profile.hooks": []map[string]any{
 						{"hook": "web_hook", "config": map[string]any{"headers": []map[string]string{{"X-Custom-Header": "test"}}, "url": "foo", "method": "POST", "body": "bar"}},
 					},
-					config.ViperKeySelfServiceVerificationEnabled: true,
 				},
 				expect: func(reg *driver.RegistryDefault) []settings.PostHookPostPersistExecutor {
 					return []settings.PostHookPostPersistExecutor{
-						hook.NewVerifier(reg),
 						hook.NewWebHook(reg, json.RawMessage(`{"body":"bar","headers":[{"X-Custom-Header":"test"}],"method":"POST","url":"foo"}`)),
 					}
 				},
@@ -597,7 +606,6 @@ func TestDriverDefault_Hooks(t *testing.T) {
 			{
 				uc: "Hooks are configured on a global level, as well as on a strategy level",
 				config: map[string]any{
-					config.ViperKeySelfServiceVerificationEnabled: true,
 					config.ViperKeySelfServiceSettingsAfter + ".profile.hooks": []map[string]any{
 						{"hook": "web_hook", "config": map[string]any{"url": "foo", "method": "GET", "headers": map[string]string{"X-Custom-Header": "test"}}},
 					},
@@ -607,7 +615,6 @@ func TestDriverDefault_Hooks(t *testing.T) {
 				},
 				expect: func(reg *driver.RegistryDefault) []settings.PostHookPostPersistExecutor {
 					return []settings.PostHookPostPersistExecutor{
-						hook.NewVerifier(reg),
 						hook.NewWebHook(reg, json.RawMessage(`{"headers":{"X-Custom-Header":"test"},"method":"GET","url":"foo"}`)),
 					}
 				},
diff --git a/selfservice/flow/registration/hook_test.go b/selfservice/flow/registration/hook_test.go
@@ -187,9 +187,12 @@ func TestRegistrationExecutor(t *testing.T) {
 				t.Run("case=should redirect to verification UI if show_verification_ui hook is set", func(t *testing.T) {
 					verificationTS := testhelpers.NewVerificationUIFlowEchoServer(t, reg)
 					t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf))
-					conf.MustSet(ctx, config.ViperKeySelfServiceVerificationEnabled, true)
 					conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationAfter+".hooks", []map[string]interface{}{
 						{
+							"hook": hook.KeyVerifier,
+						},
+						{
+
 							"hook": hook.KeyVerificationUI,
 						},
 					})
@@ -205,10 +208,14 @@ func TestRegistrationExecutor(t *testing.T) {
 				t.Run("case=should redirect to verification UI if there is a login_challenge", func(t *testing.T) {
 					verificationTS := testhelpers.NewVerificationUIFlowEchoServer(t, reg)
 					t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf))
-					conf.MustSet(ctx, config.ViperKeySelfServiceVerificationEnabled, true)
-					conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationAfter+".hooks", []map[string]interface{}{{
-						"hook": hook.KeyVerificationUI,
-					}})
+					conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationAfter+".hooks", []map[string]interface{}{
+						{
+							"hook": hook.KeyVerifier,
+						},
+						{
+							"hook": hook.KeyVerificationUI,
+						},
+					})
 					i := testhelpers.SelfServiceHookFakeIdentity(t)
 					i.Traits = identity.Traits(`{"email": "verifiable-valid-login_challenge@ory.sh"}`)
 
@@ -228,8 +235,10 @@ func TestRegistrationExecutor(t *testing.T) {
 				t.Run("case=should redirect to first verification UI if show_verification_ui hook is set and multiple verifiable addresses", func(t *testing.T) {
 					verificationTS := testhelpers.NewVerificationUIFlowEchoServer(t, reg)
 					t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf))
-					conf.MustSet(ctx, config.ViperKeySelfServiceVerificationEnabled, true)
 					conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationAfter+".hooks", []map[string]interface{}{
+						{
+							"hook": hook.KeyVerifier,
+						},
 						{
 							"hook": hook.KeyVerificationUI,
 						},
@@ -248,8 +257,10 @@ func TestRegistrationExecutor(t *testing.T) {
 				t.Run("case=should still sent session if show_verification_ui is set after session hook", func(t *testing.T) {
 					verificationTS := testhelpers.NewVerificationUIFlowEchoServer(t, reg)
 					t.Cleanup(testhelpers.SelfServiceHookConfigReset(t, conf))
-					conf.MustSet(ctx, config.ViperKeySelfServiceVerificationEnabled, true)
 					conf.MustSet(ctx, config.ViperKeySelfServiceRegistrationAfter+".hooks", []map[string]interface{}{
+						{
+							"hook": hook.KeyVerifier,
+						},
 						{
 							"hook": hook.KeyVerificationUI,
 						},
diff --git a/selfservice/strategy/profile/strategy_test.go b/selfservice/strategy/profile/strategy_test.go
@@ -17,6 +17,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/kratos/selfservice/hook"
+
 	"github.com/ory/x/jsonx"
 
 	kratos "github.com/ory/kratos/internal/httpclient"
@@ -532,7 +534,7 @@ func TestStrategyTraits(t *testing.T) {
 	t.Run("description=should send email with verifiable address", func(t *testing.T) {
 		setPrivileged(t)
 
-		conf.MustSet(ctx, config.ViperKeySelfServiceVerificationEnabled, true)
+		conf.MustSet(ctx, config.ViperKeySelfServiceSettingsAfter+".profile.hooks", []map[string]any{{"hook": hook.KeyVerifier}})
 		conf.MustSet(ctx, config.ViperKeyCourierSMTPURL, "smtp://foo:bar@irrelevant.com/")
 		t.Cleanup(func() {
 			conf.MustSet(ctx, config.HookStrategyKey(config.ViperKeySelfServiceSettingsAfter, settings.StrategyProfile), nil)

Original file line number	Diff line number	Diff line change
`@@ -26,19 +26,13 @@ func (m *RegistryDefault) PostRegistrationPrePersistHooks(ctx context.Context, c`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`func (m *RegistryDefault) PostRegistrationPostPersistHooks(ctx context.Context, credentialsType identity.CredentialsType) (b []registration.PostHookPostPersistExecutor) {`
`29`		`- initialHookCount := 0`
`30`		`- if m.Config().SelfServiceFlowVerificationEnabled(ctx) {`
`31`		`- b = append(b, m.HookVerifier())`
`32`		`- initialHookCount = 1`
`33`		`- }`
`34`		`-`
`35`	`29`	`for _, v := range m.getHooks(string(credentialsType), m.Config().SelfServiceFlowRegistrationAfterHooks(ctx, string(credentialsType))) {`
`36`	`30`	`if hook, ok := v.(registration.PostHookPostPersistExecutor); ok {`
`37`	`31`	`b = append(b, hook)`
`38`	`32`	`}`
`39`	`33`	`}`
`40`	`34`
`41`		`- if len(b) == initialHookCount {`
	`35`	`+ if len(b) == 0 {`
`42`	`36`	`// since we don't want merging hooks defined in a specific strategy and`
`43`	`37`	`// global hooks are added only if no strategy specific hooks are defined`
`44`	`38`	`for _, v := range m.getHooks(config.HookGlobal, m.Config().SelfServiceFlowRegistrationAfterHooks(ctx, config.HookGlobal)) {`
Original file line number	Diff line number	Diff line change
`@@ -29,19 +29,13 @@ func (m *RegistryDefault) PreSettingsHooks(ctx context.Context) (b []settings.Pr`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`func (m *RegistryDefault) PostSettingsPostPersistHooks(ctx context.Context, settingsType string) (b []settings.PostHookPostPersistExecutor) {`
`32`		`- initialHookCount := 0`
`33`		`- if m.Config().SelfServiceFlowVerificationEnabled(ctx) {`
`34`		`- b = append(b, m.HookVerifier())`
`35`		`- initialHookCount = 1`
`36`		`- }`
`37`		`-`
`38`	`32`	`for _, v := range m.getHooks(settingsType, m.Config().SelfServiceFlowSettingsAfterHooks(ctx, settingsType)) {`
`39`	`33`	`if hook, ok := v.(settings.PostHookPostPersistExecutor); ok {`
`40`	`34`	`b = append(b, hook)`
`41`	`35`	`}`
`42`	`36`	`}`
`43`	`37`
`44`		`- if len(b) == initialHookCount {`
	`38`	`+ if len(b) == 0 {`
`45`	`39`	`// since we don't want merging hooks defined in a specific strategy and global hooks`
`46`	`40`	`// global hooks are added only if no strategy specific hooks are defined`
`47`	`41`	`for _, v := range m.getHooks(config.HookGlobal, m.Config().SelfServiceFlowSettingsAfterHooks(ctx, config.HookGlobal)) {`