Skip to content

Commit

Permalink
Fix email_verified_code usage (#4252)
Browse files Browse the repository at this point in the history
When a Cozy instance has for authentication the combo magic link + 2FA,
and its owner wants to login via the cloudery, we try to avoid a flow
with two emails (one for finding the instance domain, and the other with
the 6-digits code). To do that, we use an email_verified_code, and the
stack needs to change its behavior on the login page when this code is
present, which was not done correctly before this commit.
  • Loading branch information
nono authored Dec 6, 2023
2 parents 07c1678 + 49fa4ff commit 23f3e2d
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 25 deletions.
5 changes: 4 additions & 1 deletion assets/scripts/login.js
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,14 @@
const data = new URLSearchParams()
data.append('passphrase', pass)
data.append('trusted-device-token', trustedTokenInput.value)
data.append('email_verified_code', emailVerifiedCodeInput.value)
data.append('long-run-session', longRun)
data.append('redirect', redirect)
data.append('csrf_token', csrfTokenInput.value)

if (emailVerifiedCodeInput) {
data.append('email_verified_code', emailVerifiedCodeInput.value)
}

// For the /auth/authorize/move && /auth/confirm pages
if (stateInput) {
data.append('state', stateInput.value)
Expand Down
12 changes: 10 additions & 2 deletions web/auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,14 @@ func renderLoginForm(c echo.Context, i *instance.Instance, code int, credsErrors
iterations = settings.PassphraseKdfIterations
}

// When we have an email_verified_code, we need to ask the user their
// password, not send them an email with a magic link
emailVerifiedCode := c.QueryParam("email_verified_code")
magicLink := i.MagicLink
if emailVerifiedCode != "" {
magicLink = false
}

return c.Render(code, "login.html", echo.Map{
"TemplateTitle": i.TemplateTitle(),
"Domain": i.ContextualDomain(),
Expand All @@ -220,8 +228,8 @@ func renderLoginForm(c echo.Context, i *instance.Instance, code int, credsErrors
"CredentialsError": credsErrors,
"Redirect": redirectStr,
"CSRF": c.Get("csrf"),
"EmailVerifiedCode": c.QueryParam("email_verified_code"),
"MagicLink": i.MagicLink,
"EmailVerifiedCode": emailVerifiedCode,
"MagicLink": magicLink,
"OAuth": hasOAuth,
"FranceConnect": hasFranceConnect,
})
Expand Down
44 changes: 22 additions & 22 deletions web/statik/statik.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 23f3e2d

Please sign in to comment.