feat: allow disabling verification hook auto-inject#4577
Conversation
📝 WalkthroughWalkthroughA new boolean feature flag ChangesVerification Hook Auto-Injection Toggle
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
60dd059 to
7f885bd
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@selfservice/hook/verification_test.go`:
- Around line 153-180: The test case "should not send verification emails when
auto-injection is disabled" bypasses the auto-injection validation by manually
executing hook.NewVerifier(reg) on line 173, which does not test the intended
behavior. Remove the manual hook execution (lines 173-174: `h :=
hook.NewVerifier(reg)` and `tc.execHook(h, i, originalFlow)`) and instead
execute the hooks retrieved from reg.PostRegistrationPostPersistHooks on line
165, then assert that zero messages are queued (change the require.Len assertion
to expect 0 messages instead of 1). This directly validates that disabling
auto-injection prevents the verifier hook from being called in the normal hook
chain.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 8405619d-0a4f-4496-9de3-77deaf28c512
📒 Files selected for processing (7)
driver/config/config.godriver/config/config_test.godriver/registry_default_registration.godriver/registry_default_settings.godriver/registry_default_test.goembedx/config.schema.jsonselfservice/hook/verification_test.go
7f885bd to
3b8cfcf
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
selfservice/hook/verification_test.go (1)
153-175: ⚡ Quick winMove this subtest out of the
flowloop to avoid duplicate/misleading execution.This case validates registration hook auto-injection only, but it runs under both
flow=loginandflow=registrationand does not usetc. Consider moving it outside thefor _, tc := ...loop (or parameterizing by hook family) so test output matches intent and avoids duplicate runs.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@selfservice/hook/verification_test.go` around lines 153 - 175, The subtest "case=should not send verification emails when auto-injection is disabled" is currently nested inside a loop that iterates over different flows (login/registration), but this test only validates registration hook auto-injection behavior and does not use the loop variable. Move this t.Run call outside the for loop so it executes only once with the correct context, preventing duplicate/misleading test runs under unintended flow configurations.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@selfservice/hook/verification_test.go`:
- Around line 153-175: The subtest "case=should not send verification emails
when auto-injection is disabled" is currently nested inside a loop that iterates
over different flows (login/registration), but this test only validates
registration hook auto-injection behavior and does not use the loop variable.
Move this t.Run call outside the for loop so it executes only once with the
correct context, preventing duplicate/misleading test runs under unintended flow
configurations.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: c97dc315-db8f-4998-af7a-5c90a7fc62e4
📒 Files selected for processing (7)
driver/config/config.godriver/config/config_test.godriver/registry_default_registration.godriver/registry_default_settings.godriver/registry_default_test.goembedx/config.schema.jsonselfservice/hook/verification_test.go
🚧 Files skipped from review as they are similar to previous changes (6)
- driver/registry_default_registration.go
- driver/config/config.go
- driver/registry_default_test.go
- driver/registry_default_settings.go
- driver/config/config_test.go
- embedx/config.schema.json
3b8cfcf to
d0b2689
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
driver/config/config_test.go (1)
641-643: 💤 Low valueConsider moving the test to a more semantically appropriate function.
The
TestSessionfunction tests session-related configurations (session name, lifespan, persistent cookie, whoami caching). The verification hook auto-injection test at lines 641-643 is about post-registration/settings hooks, not sessions. While the test is functionally correct, placing it in a dedicated test function (e.g.,TestVerificationHookAutoInjectionor grouping it with other verification-related tests) would improve code organization and make it easier for future maintainers to locate.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@driver/config/config_test.go` around lines 641 - 643, The test code at lines 641-643 testing SelfServiceVerificationHookAutoInjectionDisabled is currently located in the TestSession function, but it tests verification hook auto-injection configuration rather than session-related configuration. Move this test snippet (the three assert lines testing the verification hook auto-injection disabled state) out of TestSession and into a new dedicated test function named TestVerificationHookAutoInjection or similar. This improves code organization by semantically grouping related tests together and makes it easier for maintainers to locate verification hook-related tests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@driver/config/config_test.go`:
- Around line 641-643: The test code at lines 641-643 testing
SelfServiceVerificationHookAutoInjectionDisabled is currently located in the
TestSession function, but it tests verification hook auto-injection
configuration rather than session-related configuration. Move this test snippet
(the three assert lines testing the verification hook auto-injection disabled
state) out of TestSession and into a new dedicated test function named
TestVerificationHookAutoInjection or similar. This improves code organization by
semantically grouping related tests together and makes it easier for maintainers
to locate verification hook-related tests.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 388ecae3-3b96-4c73-9df3-4a244a63056f
📒 Files selected for processing (7)
driver/config/config.godriver/config/config_test.godriver/registry_default_registration.godriver/registry_default_settings.godriver/registry_default_test.goembedx/config.schema.jsonselfservice/hook/verification_test.go
🚧 Files skipped from review as they are similar to previous changes (4)
- selfservice/hook/verification_test.go
- driver/config/config.go
- embedx/config.schema.json
- driver/registry_default_test.go
d0b2689 to
5baacab
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
driver/config/config_test.go (1)
642-651: 💤 Low valueTest correctly verifies config-level flag behavior.
The test appropriately checks the default value (
false, preserving backward compatibility) and the setter functionality. Well done.♻️ Optional: use assert.True/False for slightly more idiomatic boolean checks
- assert.Equal(t, false, p.SelfServiceVerificationHookAutoInjectionDisabled(ctx)) + assert.False(t, p.SelfServiceVerificationHookAutoInjectionDisabled(ctx)) p.MustSet(ctx, config.ViperKeyDisableVerificationHookAutoInjection, true) - assert.Equal(t, true, p.SelfServiceVerificationHookAutoInjectionDisabled(ctx)) + assert.True(t, p.SelfServiceVerificationHookAutoInjectionDisabled(ctx))Note: Both forms are valid; this file uses both patterns (e.g., lines 62, 66 vs. line 234), so the current code is consistent.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@driver/config/config_test.go` around lines 642 - 651, The test TestVerificationHookAutoInjection is well-structured and correctly verifies the config flag behavior with both default and set values. As an optional improvement for more idiomatic Go testing, consider refactoring the two assert.Equal calls that check boolean values (the assertions comparing to false and true respectively) to use assert.False and assert.True instead. Note that this is optional since the file already consistently uses both patterns throughout, so maintaining the current assert.Equal style is also acceptable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@driver/config/config_test.go`:
- Around line 642-651: The test TestVerificationHookAutoInjection is
well-structured and correctly verifies the config flag behavior with both
default and set values. As an optional improvement for more idiomatic Go
testing, consider refactoring the two assert.Equal calls that check boolean
values (the assertions comparing to false and true respectively) to use
assert.False and assert.True instead. Note that this is optional since the file
already consistently uses both patterns throughout, so maintaining the current
assert.Equal style is also acceptable.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 6ed7feb2-140d-42f3-abce-a533a5030259
📒 Files selected for processing (7)
driver/config/config.godriver/config/config_test.godriver/registry_default_registration.godriver/registry_default_settings.godriver/registry_default_test.goembedx/config.schema.jsonselfservice/hook/verification_test.go
🚧 Files skipped from review as they are similar to previous changes (6)
- driver/registry_default_settings.go
- embedx/config.schema.json
- driver/registry_default_registration.go
- selfservice/hook/verification_test.go
- driver/registry_default_test.go
- driver/config/config.go
Related issue(s)
Fixes #4437
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.com) from the maintainers to push
the changes.
works.
Further Comments
Summary by CodeRabbit
feature_flags.disable_verification_hook_auto_injectionto control whether verification hooks are automatically inserted in self-service registration and settings flows.selfServiceVerificationHookhook type in the self-service hook schema.verificationhooks still take effect.