FIX: No error displayed when 2FA token is invalid on admin login page.

app/controllers/users_controller.rb

@@ -593,8 +593,27 @@ class UsersController < ApplicationController
 
         email_token_user = EmailToken.confirmable(token)&.user
         totp_enabled = email_token_user.totp_enabled?
+        second_factor_token = params[:second_factor_token]
+        confirm_email = false
 
-        if !totp_enabled || email_token_user.authenticate_totp(params[:second_factor_token])
+        confirm_email =
+          if totp_enabled
+            @second_factor_required = true
+            @message = I18n.t("login.second_factor_title")
+
+            if second_factor_token.present?
+              if email_token_user.authenticate_totp(second_factor_token)
+                true
+              else
+                @error = I18n.t("login.invalid_second_factor_code")
+                false
+              end
+            end
+          else
+            true
+          end
+
+        if confirm_email
           @user = EmailToken.confirm(token)
 
           if @user && @user.admin?
@@ -603,9 +622,6 @@ class UsersController < ApplicationController
           else
             @message = I18n.t("admin_login.errors.unknown_email_address")
           end
-        else
-          @second_factor_required = true
-          @message = I18n.t("login.second_factor_title")
         end
       else
         @message = I18n.t("admin_login.errors.invalid_token")

app/views/users/admin_login.html.erb

@@ -5,12 +5,12 @@
   <body>
     <% if @message %>
       <%= @message %>
-      <% if @second_factor_required %>
+      <% if @error %><p><%= @error %></p><% end %>
-        <%=form_tag({}, method: :put) do %>
+
-            <%= label_tag(:second_factor_token, t('login.second_factor_description')) %>
+      <%=form_tag({}, method: :put) do %>
-            <%= text_field_tag(:second_factor_token, nil, autofocus: true) %><br><br>
+        <%= label_tag(:second_factor_token, t('login.second_factor_description')) %>
-            <%= submit_tag t('submit')%>
+        <%= text_field_tag(:second_factor_token, nil, autofocus: true) %><br><br>
-        <% end %>
+        <%= submit_tag t('submit')%>
       <% end %>
     <% else %>
       <%=form_tag({}, method: :put) do %>

spec/controllers/users_controller_spec.rb

@@ -554,22 +554,35 @@ describe UsersController do
 
       describe 'when 2 factor authentication is enabled' do
         let(:second_factor) { Fabricate(:user_second_factor, user: admin) }
+        let(:email_token) { Fabricate(:email_token, user: admin) }
         render_views
 
         it 'does not log in when token required' do
           second_factor
-          token = admin.email_tokens.create(email: admin.email).token
+          get :admin_login, params: { token: email_token.token }
-          get :admin_login, params: { token: token }
           expect(response).not_to redirect_to('/')
           expect(session[:current_user_id]).not_to eq(admin.id)
           expect(response.body).to include(I18n.t('login.second_factor_description'));
         end
 
-        it 'logs in when a valid 2-factor token is given' do
+        describe 'invalid 2 factor token' do
-          token = admin.email_tokens.create(email: admin.email).token
+          it 'should display the right error' do
+            second_factor
 
+            put :admin_login, params: {
+              token: email_token.token,
+              second_factor_token: '13213'
+            }
+
+            expect(response.status).to eq(200)
+            expect(response.body).to include(I18n.t('login.second_factor_description'));
+            expect(response.body).to include(I18n.t('login.invalid_second_factor_code'));
+          end
+        end
+
+        it 'logs in when a valid 2-factor token is given' do
           put :admin_login, params: {
-            token: token,
+            token: email_token.token,
             second_factor_token: ROTP::TOTP.new(second_factor.data).now
           }