feat: add settings, verification, and code config attributes to project_config (#151)

* feat: add settings, verification, and code config attributes to project_config

Add support for configuring selfservice settings flow, verification flow,
profile method, and code method config on the ory_project_config resource.

New attributes:
- enable_profile: toggle the profile authentication method
- code_lifespan: one-time code validity duration
- code_max_submissions: max code submission attempts (read-only in API)
- code_missing_credential_fallback_enabled: code as credential fallback
- settings_lifespan: settings flow session duration
- settings_privileged_session_max_age: re-auth window for privileged changes
- verification_use: verification method (code or link)
- verification_lifespan: verification flow session duration
- verification_notify_unknown_recipients: notify unknown email addresses
- required_aal: corrected validator to match API (aal1, highest_available)

Closes #150

* fix: address review feedback, remove code_max_submissions

- Remove code_max_submissions attribute entirely (API silently ignores
  writes, always returns server-default value of 5)
- Add p.Op assertions to all new unit tests for consistency
- Add null-case tests for CodeMissingCredentialFallbackEnabled,
  SettingsPrivilegedSessionMaxAge, VerificationLifespan, and
  VerificationNotifyUnknownRecipients

Author: KT-Doan

docs/resources/project_config.md

@@ -57,12 +57,26 @@ resource "ory_project_config" "secure" {
   enable_oidc                  = true # Required for social providers (Google, GitHub, etc.)
   enable_oidc_auto_link_policy = true # Allow social providers with auto_link = true to link to existing identities
   enable_passkey               = true
+  enable_profile               = true # Allow users to update profile traits via settings flow
+
+  # Code Method Configuration
+  code_lifespan                            = "15m0s" # How long a code remains valid
+  code_missing_credential_fallback_enabled = true    # Use code as fallback when primary credential is missing
 
   # Flow Controls
   enable_registration = true
   enable_recovery     = true
   enable_verification = true
 
+  # Settings Flow
+  settings_lifespan                   = "30m0s" # How long a settings flow session is valid
+  settings_privileged_session_max_age = "15m0s" # Re-auth required for privileged changes after this duration
+
+  # Verification Flow
+  verification_use                       = "code"  # Use one-time code for verification (or "link")
+  verification_lifespan                  = "30m0s" # How long a verification flow session is valid
+  verification_notify_unknown_recipients = false   # Don't send verification emails to unknown addresses
+
   # MFA
   enable_totp              = true
   totp_issuer              = "MyApp"
@@ -317,9 +331,11 @@ This resource exposes **75+ attributes** across these configuration categories:
 | Session settings | cookie same site, lifespan, whoami-required AAL |
 | CORS | public and admin origins, enabled/disabled |
 | Login flow | login style (unified, identifier_first) |
-| Authentication | passwordless, code, OIDC (social sign-in), OIDC auto-link policy, TOTP, passkey, WebAuthn, lookup secrets |
+| Authentication | passwordless, code, profile, OIDC (social sign-in), OIDC auto-link policy, TOTP, passkey, WebAuthn, lookup secrets |
+| Code method | lifespan, max submissions, missing credential fallback |
 | OAuth2/Hydra | token lifespans, access token strategy, PKCE, claims, scope strategy, consent/login URLs |
-| Recovery / Verification | enabled, methods, notify unknown recipients |
+| Settings flow | lifespan, privileged session max age, required AAL |
+| Recovery / Verification | enabled, methods, lifespan, notify unknown recipients |
 | Account enumeration | mitigation enabled |
 | Keto | namespace configuration |
 
@@ -342,7 +358,9 @@ Some Ory project settings are not yet available through this resource. For setti
 - `account_experience_name` (String) Application name shown in the hosted login UI.
 - `account_experience_stylesheet` (String) Custom CSS stylesheet for the hosted login UI.
 - `allowed_return_urls` (List of String) List of allowed return URLs.
+- `code_lifespan` (String) Lifespan of the code method's one-time codes (e.g., '15m0s'). Controls how long a code remains valid after being issued.
 - `code_mfa_enabled` (Boolean) Enable the code method as a second factor for MFA. When enabled, users can use one-time codes as a second authentication factor.
+- `code_missing_credential_fallback_enabled` (Boolean) Enable missing credential fallback for the code method. When enabled, allows the code method to be used as a fallback when the primary credential is missing.
 - `cors_admin_enabled` (Boolean) Enable CORS for the admin API.
 - `cors_admin_origins` (List of String) Allowed CORS origins for the admin API.
 - `cors_enabled` (Boolean) Enable CORS for the public API.
@@ -357,6 +375,7 @@ Some Ory project settings are not yet available through this resource. For setti
 - `enable_oidc_auto_link_policy` (Boolean) Enable the OIDC auto-link policy. When true, social sign-in providers with auto_link enabled (on ory_social_provider) can automatically link to existing identities that share the same identifier (e.g., email).
 - `enable_passkey` (Boolean) Enable Passkey authentication.
 - `enable_password` (Boolean) Enable password authentication.
+- `enable_profile` (Boolean) Enable the profile authentication method. When enabled, users can update their identity traits (e.g., name, address) via the settings flow.
 - `enable_recovery` (Boolean) Enable password recovery flow.
 - `enable_registration` (Boolean) Enable user registration.
 - `enable_totp` (Boolean) Enable TOTP (Time-based One-Time Password).
@@ -394,19 +413,24 @@ Some Ory project settings are not yet available through this resource. For setti
 - `project_id` (String) Project ID to configure. If not set, uses provider's project_id.
 - `recovery_ui_url` (String) URL for the password recovery UI.
 - `registration_ui_url` (String) URL for the registration UI.
-- `required_aal` (String) Required Authenticator Assurance Level for protected resources: 'aal1' or 'aal2'.
+- `required_aal` (String) Required Authenticator Assurance Level for the settings flow: 'aal1' or 'highest_available'.
 - `session_cookie_persistent` (Boolean) Enable persistent session cookies (survive browser close).
 - `session_cookie_same_site` (String) SameSite cookie attribute (Lax, Strict, None).
 - `session_lifespan` (String) Session duration (e.g., '24h0m0s').
 - `session_tokenizer_templates` (Attributes Map) JWT tokenizer templates for the /sessions/whoami endpoint. Each key is a template name, and the value configures how JWTs are generated. (see [below for nested schema](#nestedatt--session_tokenizer_templates))
 - `session_whoami_required_aal` (String) Required AAL for session whoami endpoint: 'aal1', 'aal2', or 'highest_available'.
+- `settings_lifespan` (String) Lifespan of the settings flow (e.g., '30m0s'). Controls how long a settings flow session remains valid.
+- `settings_privileged_session_max_age` (String) Maximum age of a privileged session for the settings flow (e.g., '15m0s'). After this duration, the user must re-authenticate to make privileged changes like password updates.
 - `settings_ui_url` (String) URL for the account settings UI.
 - `smtp_connection_uri` (String, Sensitive) SMTP connection URI for sending emails.
 - `smtp_from_address` (String) Email address to send from.
 - `smtp_from_name` (String) Name to display as sender.
 - `smtp_headers` (Map of String) Custom headers to include in emails.
 - `totp_issuer` (String) TOTP issuer name shown in authenticator apps.
+- `verification_lifespan` (String) Lifespan of the verification flow (e.g., '30m0s'). Controls how long a verification flow session remains valid.
+- `verification_notify_unknown_recipients` (Boolean) When enabled, verification emails are sent even if the email address is not associated with any known identity.
 - `verification_ui_url` (String) URL for the verification UI.
+- `verification_use` (String) Verification method to use: 'code' (one-time code) or 'link' (magic link).
 - `webauthn_passwordless` (Boolean) Enable passwordless WebAuthn authentication.
 - `webauthn_rp_display_name` (String) WebAuthn Relying Party display name.
 - `webauthn_rp_id` (String) WebAuthn Relying Party ID (typically your domain).

examples/resources/ory_project_config/resource.tf

@@ -34,12 +34,26 @@ resource "ory_project_config" "secure" {
   enable_oidc                  = true # Required for social providers (Google, GitHub, etc.)
   enable_oidc_auto_link_policy = true # Allow social providers with auto_link = true to link to existing identities
   enable_passkey               = true
+  enable_profile               = true # Allow users to update profile traits via settings flow
+
+  # Code Method Configuration
+  code_lifespan                            = "15m0s" # How long a code remains valid
+  code_missing_credential_fallback_enabled = true    # Use code as fallback when primary credential is missing
 
   # Flow Controls
   enable_registration = true
   enable_recovery     = true
   enable_verification = true
 
+  # Settings Flow
+  settings_lifespan                   = "30m0s" # How long a settings flow session is valid
+  settings_privileged_session_max_age = "15m0s" # Re-auth required for privileged changes after this duration
+
+  # Verification Flow
+  verification_use                       = "code"  # Use one-time code for verification (or "link")
+  verification_lifespan                  = "30m0s" # How long a verification flow session is valid
+  verification_notify_unknown_recipients = false   # Don't send verification emails to unknown addresses
+
   # MFA
   enable_totp              = true
   totp_issuer              = "MyApp"

internal/resources/projectconfig/build_patches_test.go

@@ -220,3 +220,259 @@ func TestBuildPatches_NullLoginStyle(t *testing.T) {
 		t.Error("expected no patch for null login_style")
 	}
 }
+
+func TestBuildPatches_EnableProfile(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		EnableProfile: types.BoolValue(true),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/methods/profile/enabled")
+	if p == nil {
+		t.Fatal("expected a patch for enable_profile, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != true {
+		t.Errorf("expected value true, got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullEnableProfile(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		EnableProfile: types.BoolNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/methods/profile/enabled")
+	if p != nil {
+		t.Error("expected no patch for null enable_profile")
+	}
+}
+
+func TestBuildPatches_CodeLifespan(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		CodeLifespan: types.StringValue("15m0s"),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/methods/code/config/lifespan")
+	if p == nil {
+		t.Fatal("expected a patch for code_lifespan, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != "15m0s" {
+		t.Errorf("expected value '15m0s', got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullCodeLifespan(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		CodeLifespan: types.StringNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/methods/code/config/lifespan")
+	if p != nil {
+		t.Error("expected no patch for null code_lifespan")
+	}
+}
+
+func TestBuildPatches_CodeMissingCredentialFallbackEnabled(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		CodeMissingCredentialFallbackEnabled: types.BoolValue(true),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/methods/code/config/missing_credential_fallback_enabled")
+	if p == nil {
+		t.Fatal("expected a patch for code_missing_credential_fallback_enabled, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != true {
+		t.Errorf("expected value true, got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullCodeMissingCredentialFallbackEnabled(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		CodeMissingCredentialFallbackEnabled: types.BoolNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/methods/code/config/missing_credential_fallback_enabled")
+	if p != nil {
+		t.Error("expected no patch for null code_missing_credential_fallback_enabled")
+	}
+}
+
+func TestBuildPatches_SettingsLifespan(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		SettingsLifespan: types.StringValue("30m0s"),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/settings/lifespan")
+	if p == nil {
+		t.Fatal("expected a patch for settings_lifespan, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != "30m0s" {
+		t.Errorf("expected value '30m0s', got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullSettingsLifespan(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		SettingsLifespan: types.StringNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/settings/lifespan")
+	if p != nil {
+		t.Error("expected no patch for null settings_lifespan")
+	}
+}
+
+func TestBuildPatches_SettingsPrivilegedSessionMaxAge(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		SettingsPrivilegedSessionMaxAge: types.StringValue("15m0s"),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/settings/privileged_session_max_age")
+	if p == nil {
+		t.Fatal("expected a patch for settings_privileged_session_max_age, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != "15m0s" {
+		t.Errorf("expected value '15m0s', got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullSettingsPrivilegedSessionMaxAge(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		SettingsPrivilegedSessionMaxAge: types.StringNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/settings/privileged_session_max_age")
+	if p != nil {
+		t.Error("expected no patch for null settings_privileged_session_max_age")
+	}
+}
+
+func TestBuildPatches_VerificationUse(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		VerificationUse: types.StringValue("code"),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/verification/use")
+	if p == nil {
+		t.Fatal("expected a patch for verification_use, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != "code" {
+		t.Errorf("expected value 'code', got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullVerificationUse(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		VerificationUse: types.StringNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/verification/use")
+	if p != nil {
+		t.Error("expected no patch for null verification_use")
+	}
+}
+
+func TestBuildPatches_VerificationLifespan(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		VerificationLifespan: types.StringValue("30m0s"),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/verification/lifespan")
+	if p == nil {
+		t.Fatal("expected a patch for verification_lifespan, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != "30m0s" {
+		t.Errorf("expected value '30m0s', got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullVerificationLifespan(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		VerificationLifespan: types.StringNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/verification/lifespan")
+	if p != nil {
+		t.Error("expected no patch for null verification_lifespan")
+	}
+}
+
+func TestBuildPatches_VerificationNotifyUnknownRecipients(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		VerificationNotifyUnknownRecipients: types.BoolValue(true),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/verification/notify_unknown_recipients")
+	if p == nil {
+		t.Fatal("expected a patch for verification_notify_unknown_recipients, got none")
+	}
+	if p.Op != "replace" {
+		t.Errorf("expected op 'replace', got %q", p.Op)
+	}
+	if p.Value != true {
+		t.Errorf("expected value true, got %v", p.Value)
+	}
+}
+
+func TestBuildPatches_NullVerificationNotifyUnknownRecipients(t *testing.T) {
+	r := &ProjectConfigResource{}
+	plan := &ProjectConfigResourceModel{
+		VerificationNotifyUnknownRecipients: types.BoolNull(),
+	}
+
+	patches := r.buildPatches(context.Background(), plan)
+	p := findPatch(patches, "/services/identity/config/selfservice/flows/verification/notify_unknown_recipients")
+	if p != nil {
+		t.Error("expected no patch for null verification_notify_unknown_recipients")
+	}
+}