Fix email_verified_code usage (#4252)

When a Cozy instance has for authentication the combo magic link + 2FA, and its owner wants to login via the cloudery, we try to avoid a flow with two emails (one for finding the instance domain, and the other with the 6-digits code). To do that, we use an email_verified_code, and the stack needs to change its behavior on the login page when this code is present, which was not done correctly before this commit.
cozy · Dec 6, 2023 · 23f3e2d · 23f3e2d
2 parents 07c1678 + 49fa4ff
commit 23f3e2d
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 25 deletions.
diff --git a/assets/scripts/login.js b/assets/scripts/login.js
@@ -45,11 +45,14 @@
         const data = new URLSearchParams()
         data.append('passphrase', pass)
         data.append('trusted-device-token', trustedTokenInput.value)
-        data.append('email_verified_code', emailVerifiedCodeInput.value)
         data.append('long-run-session', longRun)
         data.append('redirect', redirect)
         data.append('csrf_token', csrfTokenInput.value)
 
+        if (emailVerifiedCodeInput) {
+          data.append('email_verified_code', emailVerifiedCodeInput.value)
+        }
+
         // For the /auth/authorize/move && /auth/confirm pages
         if (stateInput) {
           data.append('state', stateInput.value)

diff --git a/web/auth/auth.go b/web/auth/auth.go
@@ -205,6 +205,14 @@ func renderLoginForm(c echo.Context, i *instance.Instance, code int, credsErrors
 		iterations = settings.PassphraseKdfIterations
 	}
 
+	// When we have an email_verified_code, we need to ask the user their
+	// password, not send them an email with a magic link
+	emailVerifiedCode := c.QueryParam("email_verified_code")
+	magicLink := i.MagicLink
+	if emailVerifiedCode != "" {
+		magicLink = false
+	}
+
 	return c.Render(code, "login.html", echo.Map{
 		"TemplateTitle":     i.TemplateTitle(),
 		"Domain":            i.ContextualDomain(),
@@ -220,8 +228,8 @@ func renderLoginForm(c echo.Context, i *instance.Instance, code int, credsErrors
 		"CredentialsError":  credsErrors,
 		"Redirect":          redirectStr,
 		"CSRF":              c.Get("csrf"),
-		"EmailVerifiedCode": c.QueryParam("email_verified_code"),
-		"MagicLink":         i.MagicLink,
+		"EmailVerifiedCode": emailVerifiedCode,
+		"MagicLink":         magicLink,
 		"OAuth":             hasOAuth,
 		"FranceConnect":     hasFranceConnect,
 	})

diff --git a/web/statik/statik.go b/web/statik/statik.go