fix: tailor validation errors and requiredness to schema

The implementation up to now unblocks using SMS verification, but
it had the downside of always adding phone fields to verification
unconditionally. (The previous implementation added the email field
unconditionally.) This commit makes the verification fields conditional
on the schema.

Author: aran

selfservice/strategy/code/.snapshots/TestVerification-description=should_respect_schema_when_showing_verification_payloads-case=shows_fields_based_on_email-phone_schema.json

@@ -0,0 +1,70 @@
+[
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "email",
+      "node_type": "input",
+      "type": "email"
+    },
+    "group": "code",
+    "messages": [],
+    "meta": {
+      "label": {
+        "id": 1070007,
+        "text": "Email",
+        "type": "info"
+      }
+    },
+    "type": "input"
+  },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "phone",
+      "node_type": "input",
+      "type": "tel"
+    },
+    "group": "code",
+    "messages": [],
+    "meta": {
+      "label": {
+        "id": 1070016,
+        "text": "Phone",
+        "type": "info"
+      }
+    },
+    "type": "input"
+  },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "method",
+      "node_type": "input",
+      "type": "submit",
+      "value": "code"
+    },
+    "group": "code",
+    "messages": [],
+    "meta": {
+      "label": {
+        "id": 1070009,
+        "text": "Continue",
+        "type": "info"
+      }
+    },
+    "type": "input"
+  },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "csrf_token",
+      "node_type": "input",
+      "required": true,
+      "type": "hidden"
+    },
+    "group": "default",
+    "messages": [],
+    "meta": {},
+    "type": "input"
+  }
+]

selfservice/strategy/code/.snapshots/TestVerification-description=should_respect_schema_when_showing_verification_payloads-case=shows_fields_based_on_phone-only_schema.json

@@ -0,0 +1,53 @@
+[
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "phone",
+      "node_type": "input",
+      "required": true,
+      "type": "tel"
+    },
+    "group": "code",
+    "messages": [],
+    "meta": {
+      "label": {
+        "id": 1070016,
+        "text": "Phone",
+        "type": "info"
+      }
+    },
+    "type": "input"
+  },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "method",
+      "node_type": "input",
+      "type": "submit",
+      "value": "code"
+    },
+    "group": "code",
+    "messages": [],
+    "meta": {
+      "label": {
+        "id": 1070009,
+        "text": "Continue",
+        "type": "info"
+      }
+    },
+    "type": "input"
+  },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "csrf_token",
+      "node_type": "input",
+      "required": true,
+      "type": "hidden"
+    },
+    "group": "default",
+    "messages": [],
+    "meta": {},
+    "type": "input"
+  }
+]

selfservice/strategy/code/strategy.go

@@ -6,6 +6,8 @@ package code
 import (
 	"context"
 	"encoding/json"
+	"fmt"
+	"io"
 	"net/http"
 	"sort"
 	"strings"
@@ -16,6 +18,7 @@ import (
 	"github.com/tidwall/gjson"
 
 	"github.com/ory/herodot"
+	"github.com/ory/jsonschema/v3"
 	"github.com/ory/kratos/continuity"
 	"github.com/ory/kratos/courier"
 	"github.com/ory/kratos/driver/config"
@@ -247,6 +250,132 @@ func (s *Strategy) PopulateMethod(r *http.Request, f flow.Flow) error {
 	return nil
 }
 
+func (s *Strategy) GetSupportedVerificationChannels(ctx context.Context) (map[identity.VerifiableAddressType]bool, error) {
+	channels := make(map[identity.VerifiableAddressType]bool)
+
+	schemaList, err := s.deps.IdentityTraitsSchemas(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	schemaID := s.deps.Config().DefaultIdentityTraitsSchemaID(ctx)
+	identitySchema, err := schemaList.GetByID(schemaID)
+	if err != nil {
+		return nil, err
+	}
+
+	rawURL := identitySchema.RawURL
+	if rawURL == "" && identitySchema.URL != nil {
+		rawURL = identitySchema.URL.String()
+	}
+
+	schemaFile, err := jsonschema.LoadURL(ctx, rawURL)
+	if err != nil {
+		return nil, err
+	}
+
+	schemaData, err := io.ReadAll(io.LimitReader(schemaFile, 1024*1024))
+	if err != nil {
+		return nil, err
+	}
+
+	var schemaJSON map[string]interface{}
+	if err := json.Unmarshal(schemaData, &schemaJSON); err != nil {
+		return nil, err
+	}
+
+	// properties.traits.properties.<trait>."ory.sh/kratos".verification.via
+	if props, ok := schemaJSON["properties"].(map[string]interface{}); ok {
+		if traits, ok := props["traits"].(map[string]interface{}); ok {
+			if traitProps, ok := traits["properties"].(map[string]interface{}); ok {
+				for _, propValue := range traitProps {
+					if prop, ok := propValue.(map[string]interface{}); ok {
+						if ext, ok := prop[schema.ExtensionName].(map[string]interface{}); ok {
+							if verification, ok := ext["verification"].(map[string]interface{}); ok {
+								// Set the appropriate channel based on verification via value
+								switch verification["via"].(string) {
+								case identity.ChannelTypeEmail:
+									channels[identity.VerifiableAddressTypeEmail] = true
+								case identity.ChannelTypeSMS:
+									channels[identity.VerifiableAddressTypePhone] = true
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	if len(channels) == 0 {
+		return nil, fmt.Errorf("no verification channels found in schema")
+	}
+
+	return channels, nil
+}
+
+func (s *Strategy) GetVerificationRequiredField(ctx context.Context) (pointer string, property string, err error) {
+	channels, err := s.GetSupportedVerificationChannels(ctx)
+	if err != nil {
+		return "#/identifier", "identifier", err
+	}
+
+	activeChannelCount := 0
+	for _, active := range channels {
+		if active {
+			activeChannelCount++
+		}
+	}
+
+	// Return field-specific errors if only one channel is supported
+	if activeChannelCount == 1 {
+		if channels[identity.VerifiableAddressTypeEmail] {
+			return "#/email", "email", nil
+		}
+		if channels[identity.VerifiableAddressTypePhone] {
+			return "#/phone", "phone", nil
+		}
+	}
+
+	// Default to generic identifier error
+	return "#/identifier", "identifier", nil
+}
+
+func (s *Strategy) addVerificationNodes(ctx context.Context, nodes *node.Nodes, email interface{}, phone interface{}) error {
+	channels, err := s.GetSupportedVerificationChannels(ctx)
+	if err != nil {
+		return err
+	}
+
+	activeChannelCount := 0
+	for _, active := range channels {
+		if active {
+			activeChannelCount++
+		}
+	}
+
+	opts := []node.InputAttributesModifier{}
+	if activeChannelCount == 1 {
+		opts = append(opts, node.WithRequiredInputAttribute)
+	}
+
+	if channels[identity.VerifiableAddressTypeEmail] {
+		nodes.Append(
+			node.NewInputField("email", email, node.CodeGroup, node.InputAttributeTypeEmail, opts...).
+				WithMetaLabel(text.NewInfoNodeInputEmail()),
+		)
+	}
+
+	if channels[identity.VerifiableAddressTypePhone] {
+		nodes.Append(
+			node.NewInputField("phone", phone, node.CodeGroup, node.InputAttributeTypeTel, opts...).
+				WithMetaLabel(text.NewInfoNodeInputPhone()),
+		)
+	}
+
+	return nil
+}
+
 func (s *Strategy) populateChooseMethodFlow(r *http.Request, f flow.Flow) error {
 	ctx := r.Context()
 	switch f := f.(type) {
@@ -260,15 +389,10 @@ func (s *Strategy) populateChooseMethodFlow(r *http.Request, f flow.Flow) error
 				WithMetaLabel(text.NewInfoNodeLabelContinue()),
 		)
 	case *verification.Flow:
-		// Add both email and phone fields for verification
-		f.GetUI().Nodes.Append(
-			node.NewInputField("email", nil, node.CodeGroup, node.InputAttributeTypeEmail).
-				WithMetaLabel(text.NewInfoNodeInputEmail()),
-		)
-		f.GetUI().Nodes.Append(
-			node.NewInputField("phone", nil, node.CodeGroup, node.InputAttributeTypeTel).
-				WithMetaLabel(text.NewInfoNodeInputPhone()),
-		)
+		if err := s.addVerificationNodes(ctx, &f.GetUI().Nodes, nil, nil); err != nil {
+			return err
+		}
+
 		f.GetUI().Nodes.Append(
 			node.NewInputField("method", s.ID(), node.CodeGroup, node.InputAttributeTypeSubmit).
 				WithMetaLabel(text.NewInfoNodeLabelContinue()),

selfservice/strategy/code/strategy_verification.go

@@ -65,7 +65,6 @@ func (s *Strategy) decodeVerification(r *http.Request) (*updateVerificationFlowW
 	return &body, nil
 }
 
-// handleVerificationError is a convenience function for handling all types of errors that may occur (e.g. validation error).
 func (s *Strategy) handleVerificationError(r *http.Request, f *verification.Flow, body *updateVerificationFlowWithCodeMethod, err error) error {
 	if f != nil {
 		f.UI.SetCSRF(s.deps.GenerateCSRFToken(r))
@@ -76,12 +75,11 @@ func (s *Strategy) handleVerificationError(r *http.Request, f *verification.Flow
 			phone = body.Phone
 		}
 
-		f.UI.GetNodes().Upsert(
-			node.NewInputField("email", email, node.CodeGroup, node.InputAttributeTypeEmail).WithMetaLabel(text.NewInfoNodeInputEmail()),
-		)
-		f.UI.GetNodes().Upsert(
-			node.NewInputField("phone", phone, node.CodeGroup, node.InputAttributeTypeTel).WithMetaLabel(text.NewInfoNodeInputPhone()),
-		)
+		f.UI.Nodes = node.Nodes{}
+
+		if updateErr := s.addVerificationNodes(r.Context(), &f.UI.Nodes, email, phone); updateErr != nil {
+			return errors.Wrap(err, updateErr.Error())
+		}
 	}
 
 	return err
@@ -217,9 +215,25 @@ func (s *Strategy) verificationHandleFormSubmission(ctx context.Context, w http.
 
 		// If not GET: try to use the submitted code
 		return s.verificationUseCode(ctx, w, r, body.Code, f)
-	} else if len(body.Email) == 0 && len(body.Phone) == 0 {
-		// If no code, email, or phone was provided, fail with a validation error
-		return s.handleVerificationError(r, f, body, schema.NewRequiredError("#/identifier", "identifier"))
+	}
+
+	channels, err := s.GetSupportedVerificationChannels(ctx)
+	if err != nil {
+		return s.handleVerificationError(r, f, body, err)
+	}
+
+	hasValidIdentifier := false
+	if channels[identity.VerifiableAddressTypeEmail] && len(body.Email) > 0 {
+		hasValidIdentifier = true
+	}
+	if channels[identity.VerifiableAddressTypePhone] && len(body.Phone) > 0 {
+		hasValidIdentifier = true
+	}
+
+	if !hasValidIdentifier {
+		// If no code and no valid identifier was provided, fail with a validation error
+		pointer, property, _ := s.GetVerificationRequiredField(ctx)
+		return s.handleVerificationError(r, f, body, schema.NewRequiredError(pointer, property))
 	}
 
 	if err := flow.EnsureCSRF(s.deps, r, f.Type, s.deps.Config().DisableAPIFlowEnforcement(ctx), s.deps.GenerateCSRFToken, body.CSRFToken); err != nil {
@@ -230,16 +244,15 @@ func (s *Strategy) verificationHandleFormSubmission(ctx context.Context, w http.
 		return s.handleVerificationError(r, f, body, err)
 	}
 
-	// Handle verification via email or SMS based on provided identifier
-	if len(body.Email) > 0 {
+	if channels[identity.VerifiableAddressTypeEmail] && len(body.Email) > 0 {
 		if err := s.deps.CodeSender().SendVerificationCode(ctx, f, identity.VerifiableAddressTypeEmail, body.Email); err != nil {
 			if !errors.Is(err, ErrUnknownAddress) {
 				return s.handleVerificationError(r, f, body, err)
 			}
 			// Continue execution
 		}
 		f.State = flow.StateEmailSent
-	} else if len(body.Phone) > 0 {
+	} else if channels[identity.VerifiableAddressTypePhone] && len(body.Phone) > 0 {
 		if err := s.deps.CodeSender().SendVerificationCode(ctx, f, identity.VerifiableAddressTypePhone, body.Phone); err != nil {
 			if !errors.Is(err, ErrUnknownAddress) {
 				return s.handleVerificationError(r, f, body, err)
@@ -253,15 +266,14 @@ func (s *Strategy) verificationHandleFormSubmission(ctx context.Context, w http.
 		return s.handleVerificationError(r, f, body, err)
 	}
 
-	// Add appropriate resend buttons based on the identifier used
-	if body.Email != "" {
+	if channels[identity.VerifiableAddressTypeEmail] && body.Email != "" {
 		f.UI.Nodes.Append(
 			node.NewInputField("email", body.Email, node.CodeGroup, node.InputAttributeTypeSubmit).
 				WithMetaLabel(text.NewInfoNodeResendOTP()),
 		)
 	}
 
-	if body.Phone != "" {
+	if channels[identity.VerifiableAddressTypePhone] && body.Phone != "" {
 		f.UI.Nodes.Append(
 			node.NewInputField("phone", body.Phone, node.CodeGroup, node.InputAttributeTypeSubmit).
 				WithMetaLabel(text.NewInfoNodeResendOTP()),