From 729063e485b2b6eff148fd6d05eef078a44fbc65 Mon Sep 17 00:00:00 2001
From: Joffrey JAFFEUX <j.jaffeux@gmail.com>
Date: Wed, 5 Jun 2024 20:45:16 +0200
Subject: [PATCH] FIX: ensures invalid OTP blocks submit (#27352)

---
 .../app/controllers/password-reset.js         |  5 ++++-
 .../app/templates/password-reset.hbs          |  4 ++++
 spec/system/login_spec.rb                     | 20 +++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/app/controllers/password-reset.js b/app/assets/javascripts/discourse/app/controllers/password-reset.js
index e00b3e31a71..d6787d93a7a 100644
--- a/app/assets/javascripts/discourse/app/controllers/password-reset.js
+++ b/app/assets/javascripts/discourse/app/controllers/password-reset.js
@@ -93,7 +93,10 @@ export default Controller.extend(PasswordValidation, {
               DiscourseURL.redirectTo(result.redirect_to || "/");
             }
           } else {
-            if (result.errors && !result.errors.password) {
+            if (
+              result.errors.security_keys ||
+              result.errors.user_second_factors
+            ) {
               this.setProperties({
                 secondFactorRequired: this.secondFactorRequired,
                 securityKeyRequired: this.securityKeyRequired,
diff --git a/app/assets/javascripts/discourse/app/templates/password-reset.hbs b/app/assets/javascripts/discourse/app/templates/password-reset.hbs
index 764e9eef0f3..a45a5d47f6d 100644
--- a/app/assets/javascripts/discourse/app/templates/password-reset.hbs
+++ b/app/assets/javascripts/discourse/app/templates/password-reset.hbs
@@ -70,6 +70,10 @@
           {{/unless}}
         {{else}}
           <h2>{{i18n "user.change_password.choose"}}</h2>
+          {{#if this.errorMessage}}
+            <div class="alert alert-error">{{this.errorMessage}}</div>
+            <br />
+          {{/if}}
 
           <div class="input">
             <PasswordField
diff --git a/spec/system/login_spec.rb b/spec/system/login_spec.rb
index 2b2377b989e..42c1246635d 100644
--- a/spec/system/login_spec.rb
+++ b/spec/system/login_spec.rb
@@ -187,6 +187,26 @@ shared_examples "login scenarios" do
       expect(page).to have_css(".header-dropdown-toggle.current-user")
     end
 
+    it "shows error correctly when TOTP code is invalid" do
+      login_modal.open
+      login_modal.fill_username("john")
+      login_modal.forgot_password
+      find("button.forgot-password-reset").click
+
+      reset_password_link = wait_for_email_link(user, :reset_password)
+      visit reset_password_link
+
+      find(".second-factor-token-input").fill_in(with: "123456")
+      find(".password-reset .btn-primary").click
+
+      expect(page).to have_css(
+        ".alert-error",
+        text: "Invalid authentication code. Each code can only be used once.",
+      )
+
+      expect(page).to have_css(".second-factor-token-input")
+    end
+
     it "can reset password with a backup code" do
       login_modal.open
       login_modal.fill_username("john")