After token timeout during 2FA flow, login form is left in broken state
Concerned version
Version: 2.0.14
Summary
- Enable mail 2FA (or any code based 2FA)
- Enter credentials
- Wait 2 minutes (formTimeout) on 2FA input form
- Enter 2FA code
- Portal displays PE_TOKENEXPIRED (correct behaviour) + login form (correct behaviour???)
- Using the form POSTs to /mail2fcheck which doesn't know how to handle the login process (ERROR)
Logs
[debug] Start routing mail2fcheck
* WARNING: mail2fcheck tries to load a 2FA token but instead loads the login form token*
[debug] Trying to load token 1661776443_56905
[error] mail2f: no code found
[debug] [error] mail2f: no code found
[debug] Processing code ref
* This fails because login form token has no attributes *
[debug] Current login saved into failedLogin
[debug] Current login -> 5
[debug] Found 'whatToTrace' ->
[debug] No uid found, skipping updatePersistentSession
[debug] Processing code ref
* Error is displayed to the user *
[debug] Returned error: 2 (PE_FORMEMPTY)
Possible fixes
- We need at least to make the 2FA code verify the type of its tokens before using them
- Additionally, we should somehow redirect the user to the portal URL when an error occurs in the 2FA flow, instead of keeping the /mail2fcheck URL