web: auto verify user during user creation

[shreeharsha-factly]

Summary by CodeRabbit

• New Features
  • Enhanced email verification tracking for user accounts by adding metadata timestamps and verification status information to the user identity system.

[coderabbitai]

Walkthrough

The change adds email verification metadata to the Kratos identity payload during user creation in the admin user creation endpoint. A new verifiable_addresses entry is introduced containing verification details (created_at, updated_at, value, verified, verified_at, via) with timestamps populated using time.Now().

Changes

Cohort / File(s)	Summary
Kratos Identity Payload Enhancement server/action/admin/user/create.go	Added time package import and introduced verifiable_addresses metadata field containing email verification details (created_at, updated_at, value, verified, verified_at, via) with current timestamps

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the structure and field names of verifiable_addresses match Kratos' expected identity schema
• Ensure time.Now() is the appropriate timestamp source for all timing fields
• Confirm the email value and verification flags are correctly populated

Poem

🐰 A timestamp here, a timestamp there,
Email verified with extra care,
Kratos now knows when trust was born,
From this moment on, accounts are worn! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "web: auto verify user during user creation" accurately describes the main change in the pull request. The modification adds verification metadata (including verified, verified_at, and other fields) to the Kratos identity payload during user creation in server/action/admin/user/create.go, which directly aligns with the concept of auto-verifying users during creation. The title is concise, specific, and avoids generic or vague language, making it clear to reviewers that the change implements automatic user verification at creation time.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/verify/user

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying kavach-docs with    Cloudflare Pages

Latest commit:	f224613
Status:	✅  Deploy successful!
Preview URL:	https://e642582f.kavach-docs.pages.dev
Branch Preview URL:	https://feat-verify-user.kavach-docs.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 60d5318 and f224613.

📒 Files selected for processing (1)

• server/action/admin/user/create.go (2 hunks)

🔇 Additional comments (1)

server/action/admin/user/create.go (1)

9-9: LGTM!

The time import is necessary for the time.Now() calls added in the verifiable_addresses field.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify the schema against Kratos Admin API documentation.

The verifiable_addresses field structure must exactly match what the Kratos Admin API expects. Additionally, auto-verifying users bypasses the email verification flow, which may have security or compliance implications for your use case.

Please verify:

1. The field names, types, and structure match the Kratos Admin API schema for your version
2. The timestamp format (time.Now() serializes to RFC3339 in JSON) is compatible with Kratos
3. All required fields are present and no unsupported fields are included
4. Auto-verification aligns with your security and compliance requirements

Run the following script to check for other usages of verifiable_addresses in the codebase for reference:

Additionally, please verify the Kratos Admin API documentation for the identity creation endpoint:

---

🏁 Script executed:

#!/bin/bash
# Search for other usages of verifiable_addresses to verify schema consistency
rg -n -C5 'verifiable_addresses' --type=go

Length of output: 687

---

🌐 Web query:

Ory Kratos Admin API verifiable_addresses schema for identity creation

💡 Result:

You can set verifiable addresses when creating/importing an identity via the Admin API by including a verifiable_addresses array on the identity payload. Each address object uses these fields (examples from Ory Kratos docs):

• value (string) — the address (e.g. email).
• verified (boolean) — whether the address is already verified.
• via (string) — channel, e.g. "email" or "sms".
• status (string) — e.g. "pending" or "completed".
• id, created_at, updated_at, verified_at (server-generated on return).

Example create/import payload:

{
"schema_id": "preset://email",
"traits": { "email": "user@example.org" },
"verifiable_addresses": [
{
"value": "user@example.org",
"verified": true,
"via": "email",
"status": "completed"
}
]
}

See Ory Kratos docs for creating/importing identities and verifiable addresses. [1][2]

Sources:
[1] Ory — Import user accounts / importing verified addresses (Admin identities).
[2] Ory — Create/manage identities (example responses showing verifiable_addresses).

---

Remove server-generated fields from verifiable_addresses payload.

The Kratos Admin API documentation states that id, created_at, updated_at, verified_at are server-generated fields, meaning they should not be included in the client request payload. Remove the following lines from the verifiable_addresses object:

• "created_at": time.Now()
• "updated_at": time.Now()
• "verified_at": time.Now()

Keep only: value, verified, via, and status.

🤖 Prompt for AI Agents

In server/action/admin/user/create.go around lines 54 to 64, the
verifiable_addresses payload currently includes server-generated timestamp
fields (created_at, updated_at, verified_at) which should not be sent; remove
the "created_at": time.Now(), "updated_at": time.Now(), and "verified_at":
time.Now() entries and leave only "value", "verified", "via", and "status" in
the verifiable_addresses map so the request conforms to Kratos Admin API
expectations.