wso2-extensions · Rashmini · Sep 20, 2023 · Aug 29, 2023 · Aug 29, 2023 · Aug 31, 2023
diff --git a/...a/org/wso2/carbon/identity/recovery/internal/service/impl/UserAccountRecoveryManager.java b/...a/org/wso2/carbon/identity/recovery/internal/service/impl/UserAccountRecoveryManager.java
@@ -931,58 +931,6 @@ public UserRecoveryData getUserRecoveryData(String code, RecoverySteps step) thr
         return recoveryData;
     }
 
-    /**
-     * This method is to retrieve user recovery data using the confirmation code when there's no recovery flow id.
-     * This is added as a fallback logic to handle the already initiated email link based recovery flows which do not
-     * have recovery flow ids, which were initiated before moving to the Recovery V2 API.
-     * This shouldn't be used for any other purpose and should be kept for sometime.
-     *
-     * @param code Code given for recovery.
-     * @param recoveryFlowId Recovery flow id of the user.
-     * @param step Recovery step.
-     * @return UserRecoveryData Data associated with the provided code.
-     * @throws IdentityRecoveryException If an error occurred while validating the recoveryId.
-     */
-    @Deprecated
-    public UserRecoveryData getUserRecoveryDataFromConfirmationCode(String code, String recoveryFlowId,
-                                                                    RecoverySteps step)
-            throws IdentityRecoveryException {
-
-        UserRecoveryData recoveryData;
-        UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
-        try {
-            // Retrieve recovery data bound to the recoveryId.
-            recoveryData = userRecoveryDataStore.load(code);
-        } catch (IdentityRecoveryException e) {
-            // Map code expired error to new error codes for user account recovery.
-            if (IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE.getCode().equals(e.getErrorCode())) {
-                e.setErrorCode(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_FLOW_ID.getCode());
-            } else if (IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_EXPIRED_CODE.getCode()
-                    .equals(e.getErrorCode())) {
-                e.setErrorCode(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_EXPIRED_RECOVERY_FLOW_ID.getCode());
-            } else {
-                e.setErrorCode(Utils.prependOperationScenarioToErrorCode(e.getErrorCode(),
-                        IdentityRecoveryConstants.USER_ACCOUNT_RECOVERY));
-            }
-            throw e;
-        }
-        if (recoveryData == null) {
-            throw Utils
-                    .handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_NO_ACCOUNT_RECOVERY_DATA,
-                            recoveryFlowId);
-        }
-        if (!StringUtils.equals(recoveryData.getRemainingSetIds(),
-                NotificationChannels.EMAIL_CHANNEL.getChannelType())) {
-            throw Utils.handleClientException(
-                        IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_FLOW_ID, recoveryFlowId);
-        }
-        if (!step.equals(recoveryData.getRecoveryStep())) {
-            throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE,
-                    recoveryFlowId);
-        }
-        return recoveryData;
-    }
-
     /**
      * Get user recovery data using the recovery flow id.
      *

diff --git a/.../carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java b/.../carbon/identity/recovery/internal/service/impl/password/PasswordRecoveryManagerImpl.java
@@ -236,7 +236,6 @@ public PasswordResetCodeDTO confirm(String otp, String confirmationCode, String
             recoveryFlowId = confirmationCode;
             code = otp;
         }
-        // Get Recovery data.
         try {
             UserRecoveryData userRecoveryData = userAccountRecoveryManager
                     .getUserRecoveryDataFromFlowId(recoveryFlowId, RecoverySteps.UPDATE_PASSWORD);
@@ -271,21 +270,9 @@ public PasswordResetCodeDTO confirm(String otp, String confirmationCode, String
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_CODE.getCode(),
                     IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE.getMessage(), code);
         } catch (IdentityRecoveryException e) {
-            // This is a fallback logic to support already initiated email link based recovery flows using the
-            // recovery V1 API, which do not have recovery flow ids.
-            UserRecoveryData userRecoveryData = userAccountRecoveryManager.getUserRecoveryDataFromConfirmationCode(
-                    recoveryFlowId, recoveryFlowId, RecoverySteps.UPDATE_PASSWORD);
-            if (!tenantDomain.equals(userRecoveryData.getUser().getTenantDomain())) {
-                throw Utils.handleClientException(
-                        IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_USER_TENANT_DOMAIN_MISS_MATCH_WITH_CONTEXT,
-                        tenantDomain);
-            }
-            String domainQualifiedName = IdentityUtil.addDomainToName(userRecoveryData.getUser().getUserName(),
-                    userRecoveryData.getUser().getUserStoreDomain());
-            if (log.isDebugEnabled()) {
-                log.debug("Valid confirmation code for user: " + domainQualifiedName);
-            }
-            return buildPasswordResetCodeDTO(recoveryFlowId);
+            /* This is a fallback logic to support already initiated email link based recovery flows using the
+            recovery V1 API, which do not have recovery flow ids. */
+            return validateConfirmationCode(userAccountRecoveryManager, recoveryFlowId, tenantDomain);
         }
     }
 
@@ -874,4 +861,48 @@ private boolean isMinNoOfRecoveryQuestionsAnswered(String username, String tenan
         return isMinNoOfRecoveryQuestionsAnswered;
     }
 
+    /**
+     * This method is to validate the confirmation code when there's no recovery flow id. This is added as a fallback
+     * logic to handle the already initiated email link based recovery flows which do not have recovery flow ids,
+     * which were initiated before moving to the Recovery V2 API. This shouldn't be used for any other purpose and
+     * should be kept for sometime.
+     *
+     * @param userAccountRecoveryManager UserAccountRecoveryManager.
+     * @param confirmationCode Confirmation code.
+     * @param tenantDomain     Tenant domain.
+     * @return PasswordResetCodeDTO {@link PasswordResetCodeDTO} object which contains password reset code.
+     * @throws IdentityRecoveryException Error while confirming password recovery.
+     */
+    @Deprecated
+    private PasswordResetCodeDTO validateConfirmationCode(UserAccountRecoveryManager userAccountRecoveryManager,
+                                                          String confirmationCode, String tenantDomain)
+            throws IdentityRecoveryException {
+        UserRecoveryData userRecoveryData;
+        try {
+            userRecoveryData = userAccountRecoveryManager.getUserRecoveryData(confirmationCode,
+                    RecoverySteps.UPDATE_PASSWORD);
+        } catch (IdentityRecoveryException e) {
+            if (IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_CODE.getCode().equals(
+                    e.getErrorCode())) {
+                e.setErrorCode(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_FLOW_ID.getCode());
+            }
+            throw e;
+        }
+        if (!StringUtils.equals(userRecoveryData.getRemainingSetIds(),
+                NotificationChannels.EMAIL_CHANNEL.getChannelType())) {
+            throw Utils.handleClientException(
+                    IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_FLOW_ID, confirmationCode);
+        }
+        if (!tenantDomain.equals(userRecoveryData.getUser().getTenantDomain())) {
+            throw Utils.handleClientException(
+                    IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_USER_TENANT_DOMAIN_MISS_MATCH_WITH_CONTEXT,
+                    tenantDomain);
+        }
+        String domainQualifiedName = IdentityUtil.addDomainToName(userRecoveryData.getUser().getUserName(),
+                userRecoveryData.getUser().getUserStoreDomain());
+        if (log.isDebugEnabled()) {
+            log.debug("Valid confirmation code for user: " + domainQualifiedName);
+        }
+        return buildPasswordResetCodeDTO(confirmationCode);
+    }
 }
diff --git a/.../java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java b/.../java/org/wso2/carbon/identity/recovery/password/NotificationPasswordRecoveryManager.java
@@ -660,7 +660,6 @@ public User updateUserPassword(String code, String confirmationCode, String pass
             throws IdentityRecoveryException, IdentityEventException {
 
         UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
-        UserAccountRecoveryManager userAccountRecoveryManager = UserAccountRecoveryManager.getInstance();
         UserRecoveryData userRecoveryData;
         try {
             userRecoveryData = userRecoveryDataStore.loadFromRecoveryFlowId(confirmationCode,
@@ -687,20 +686,9 @@ public User updateUserPassword(String code, String confirmationCode, String pass
                         IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE.getMessage(), code);
             }
         } catch (IdentityRecoveryException e) {
-            // This is a fallback logic to support already initiated email link based recovery flows using the
-            // recovery V1 API, which do not have recovery flow ids.
-            userRecoveryData = userAccountRecoveryManager.getUserRecoveryDataFromConfirmationCode(code,
-                    confirmationCode, RecoverySteps.UPDATE_PASSWORD);
-            validateCallback(properties, userRecoveryData.getUser().getTenantDomain());
-            publishEvent(userRecoveryData.getUser(), null, code, password, properties,
-                    IdentityEventConstants.Event.PRE_ADD_NEW_PASSWORD, userRecoveryData);
-            validateTenantDomain(userRecoveryData.getUser());
-
-            // Validate recovery step.
-            if (!RecoverySteps.UPDATE_PASSWORD.equals(userRecoveryData.getRecoveryStep())) {
-                throw Utils.handleClientException(
-                        IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE, code);
-            }
+            /* This is a fallback logic to support already initiated email link based recovery flows using the
+            recovery V1 API, which do not have recovery flow ids. */
+            userRecoveryData = validateUserRecoveryDataFromCode(code, confirmationCode, password, properties);
         }
 
         // Get the notification channel.
@@ -766,6 +754,52 @@ public User updateUserPassword(String code, String confirmationCode, String pass
         return userRecoveryData.getUser();
     }
 
+    /**
+     * This method is to validate user recovery data using the reset code when there's no recovery flow id.
+     * This is added as a fallback logic to handle the already initiated email link based recovery flows which do not
+     * have recovery flow ids, which were initiated before moving to the Recovery V2 API.
+     * This shouldn't be used for any other purpose and should be kept for sometime.
+     *
+     * @param userAccountRecoveryManager UserAccountRecoveryManager.
+     * @param code                       Password Reset code.
+     * @param confirmationCode           Confirmation code.
+     * @param password                   New password.
+     * @param properties                 Properties.
+     * @return UserRecoveryData.
+     * @throws IdentityRecoveryException Error while updating the password.
+     */
+    @Deprecated
+    private UserRecoveryData validateUserRecoveryDataFromCode(String code, String confirmationCode, String password,
+                                                              Property[] properties) throws IdentityRecoveryException {
+        UserRecoveryData userRecoveryData;
+        UserAccountRecoveryManager userAccountRecoveryManager = UserAccountRecoveryManager.getInstance();
+        try {
+            userRecoveryData = userAccountRecoveryManager.getUserRecoveryData(code, RecoverySteps.UPDATE_PASSWORD);
+        } catch (IdentityRecoveryException e) {
+            if (IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_CODE.getCode().equals(
+                    e.getErrorCode())) {
+                e.setErrorCode(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_FLOW_ID.getCode());
+            }
+            throw e;
+        }
+        if (!StringUtils.equals(userRecoveryData.getRemainingSetIds(),
+                NotificationChannels.EMAIL_CHANNEL.getChannelType())) {
+            throw Utils.handleClientException(
+                    IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_RECOVERY_FLOW_ID, confirmationCode);
+        }
+        validateCallback(properties, userRecoveryData.getUser().getTenantDomain());
+        publishEvent(userRecoveryData.getUser(), null, code, password, properties,
+                IdentityEventConstants.Event.PRE_ADD_NEW_PASSWORD, userRecoveryData);
+        validateTenantDomain(userRecoveryData.getUser());
+
+        // Validate recovery step.
+        if (!RecoverySteps.UPDATE_PASSWORD.equals(userRecoveryData.getRecoveryStep())) {
+            throw Utils.handleClientException(
+                    IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE, code);
+        }
+        return userRecoveryData;
+    }
+
     /**
      * Update the new password of the user.
      *