we should not send blocked users a recovery code

ory · Nov 14, 2024 · 763f631 · 763f631
1 parent 10a80a9
commit 763f631
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/selfservice/strategy/code/code_sender.go b/selfservice/strategy/code/code_sender.go
@@ -13,6 +13,7 @@ import (
 	"github.com/ory/herodot"
 	"github.com/ory/kratos/courier/template/email"
 	"github.com/ory/kratos/courier/template/sms"
+	"github.com/ory/kratos/schema"
 
 	"github.com/ory/x/sqlcon"
 	"github.com/ory/x/stringsx"
@@ -205,7 +206,7 @@ func (s *Sender) SendRecoveryCode(ctx context.Context, f *recovery.Flow, via ide
 
 	var address *identity.RecoveryAddress
 	var err error
-
+	
 	if via == identity.VerifiableAddressTypeEmail {
 		address, err = s.deps.IdentityPool().FindRecoveryAddressByValue(ctx, identity.RecoveryAddressTypeEmail, to)
 	} else {
@@ -245,7 +246,10 @@ func (s *Sender) SendRecoveryCode(ctx context.Context, f *recovery.Flow, via ide
 	if err != nil {
 		return err
 	}
-
+
+	if i.IsBlocked() {
+		return errors.WithStack(schema.NewErrorValidationRecoveryNoStrategyFoundForBlockedAccount())
+	}
 	rawCode := GenerateCode()
 
 	var code *RecoveryCode