fix: exempt recovery sessions from current password requirement

When updating a password via the recovery (password reset) flow,
the user cannot know their current password — that is the whole point
of the flow. This commit:

1. verifyPost: issues refresh tokens with models.Recovery auth method
   for RecoveryVerification type, so the AMR claim is correctly stored
   as "recovery" instead of "otp".

2. user.go: checks for the recovery AMR claim when
   GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_CURRENT_PASSWORD is enabled,
   and skips the current-password check for recovery sessions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: JulienBergero

internal/api/user.go

@@ -149,17 +149,41 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 
 	if params.Password != nil {
 		if config.Security.UpdatePasswordRequireCurrentPassword {
-			if params.CurrentPassword == nil || *params.CurrentPassword == "" {
-				return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Current password is required to update password")
+			// Recovery sessions (password reset flow) are exempt — the user
+			// cannot know their current password, that is why they are resetting it.
+			isRecoverySession := false
+			if session != nil {
+				amrMethods := []string{}
+				for _, claim := range session.AMRClaims {
+					amrMethods = append(amrMethods, claim.GetAuthenticationMethod())
+					if claim.GetAuthenticationMethod() == models.Recovery.String() {
+						isRecoverySession = true
+						break
+					}
+				}
+				logrus.WithFields(logrus.Fields{
+					"session_id":          session.ID,
+					"amr_methods":         amrMethods,
+					"amr_claims_count":    len(session.AMRClaims),
+					"is_recovery_session": isRecoverySession,
+				}).Info("[delos] password update: session AMR check")
+			} else {
+				logrus.Info("[delos] password update: session is nil")
 			}
 
-			if user.HasPassword() {
-				authenticated, _, err := user.Authenticate(ctx, db, *params.CurrentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")
-				if err != nil {
-					return apierrors.NewInternalServerError("Error verifying current password").WithInternalError(err)
+			if !isRecoverySession {
+				if params.CurrentPassword == nil || *params.CurrentPassword == "" {
+					return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Current password is required to update password")
 				}
-				if !authenticated {
-					return apierrors.NewBadRequestError(apierrors.ErrorCodeInvalidCredentials, InvalidLoginMessage)
+
+				if user.HasPassword() {
+					authenticated, _, err := user.Authenticate(ctx, db, *params.CurrentPassword, config.Security.DBEncryption.DecryptionKeys, false, "")
+					if err != nil {
+						return apierrors.NewInternalServerError("Error verifying current password").WithInternalError(err)
+					}
+					if !authenticated {
+						return apierrors.NewBadRequestError(apierrors.ErrorCodeInvalidCredentials, InvalidLoginMessage)
+					}
 				}
 			}
 		}

internal/api/verify.go

@@ -188,7 +188,15 @@ func (a *API) verifyGet(w http.ResponseWriter, r *http.Request, params *VerifyPa
 		}
 
 		if isImplicitFlow(flowType) {
-			token, terr = a.issueRefreshToken(r, tx, user, models.OTP, grantParams)
+			issuedAuthMethod := models.OTP
+			if params.Type == mail.RecoveryVerification {
+				issuedAuthMethod = models.Recovery
+			}
+			logrus.WithFields(logrus.Fields{
+				"params_type":        params.Type,
+				"issued_auth_method": issuedAuthMethod.String(),
+			}).Info("[delos] verify: issuing refresh token with auth method")
+			token, terr = a.issueRefreshToken(r, tx, user, issuedAuthMethod, grantParams)
 			if terr != nil {
 				return terr
 			}
@@ -288,7 +296,15 @@ func (a *API) verifyPost(w http.ResponseWriter, r *http.Request, params *VerifyP
 		if terr := tx.Reload(user); terr != nil {
 			return terr
 		}
-		token, terr = a.issueRefreshToken(r, tx, user, models.OTP, grantParams)
+		issuedAuthMethod := models.OTP
+		if params.Type == mail.RecoveryVerification {
+			issuedAuthMethod = models.Recovery
+		}
+		logrus.WithFields(logrus.Fields{
+			"params_type":        params.Type,
+			"issued_auth_method": issuedAuthMethod.String(),
+		}).Info("[delos] verifyPost: issuing refresh token with auth method")
+		token, terr = a.issueRefreshToken(r, tx, user, issuedAuthMethod, grantParams)
 		if terr != nil {
 			return terr
 		}