Avoid security-key dead-end on re-auth in non-account apps#501
Open
Sea-n wants to merge 4908 commits into
Open
Avoid security-key dead-end on re-auth in non-account apps#501Sea-n wants to merge 4908 commits into
Sea-n wants to merge 4908 commits into
Conversation
… handling Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…'main' Improve UX flow when SMS sending fails for disabling 2fa flow See merge request web/clients!24472
Update the URL when category view feature flag or setting is toggled See merge request web/clients!24463
Force the forum categories into the disabled categories See merge request web/clients!24391
[DRVWEB-5350] fix SharingModal click through See merge request web/clients!24481
Minor fixes for lumo 1.4 See merge request web/clients!24482
Docs: Point Help menu to Drive support hub for documents See merge request web/clients!24427
Docs: Wrap "Save for later" label in public header dropdown See merge request web/clients!24425
Docs: Prevent DropdownItem flex items from wrapping See merge request web/clients!24426
fix(INDA-683): Remove parameter sanitization for proton URLs, prevent spammy... See merge request web/clients!24488
Sheets: auto-select title on focus only when name is default See merge request web/clients!24452
feat(group): apply dedicated member search API for adding member See merge request web/clients!24394
Docs: add alpha-only subscript and superscript toolbar actions See merge request web/clients!24527
Recovery icon update See merge request web/clients!24604
Mail counters - refactoring of useMailboxCounter See merge request web/clients!24606
Update remove recovery email/phone modal See merge request web/clients!24597
avoid overriding getUserMedia audio parameters when initializing audio silent... See merge request web/clients!24601
Registration survey panel See merge request web/clients!24605
Potential fix for tables not being rendered correctly. See merge request web/clients!24608
Update recovery page snapshots See merge request web/clients!24609
On non-account apps (calendar, mail, drive), users whose only 2FA factor is a security key cannot complete a `password` scope re-auth: SrpAuthModal accepts the password and then fails with "Security key sign-in is not supported on this application", forcing the user to restart on account.proton.me. Add `getRequiresAccountAppForTwoFactor` and use it in SrpAuthModal to detect this case from userSettings before the password form renders. The modal now shows a "Continue in Proton Account" redirect screen instead, with a "Continue here anyway" escape hatch for cases where userSettings is misleading (e.g. admin signed in as sub-user) — the authoritative `/auth/info` check still runs on submit.
The org-name step in B2B onboarding triggers a password re-auth, which dead-ends on non-account apps for users whose only 2FA factor is a security key. Surface the constraint with a warning banner and a "Continue in Proton Account" link above the org-name input, so the user can switch over before filling in the form.
mmso
force-pushed
the
main
branch
5 times, most recently
from
115579e to
b6fd253
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As a new Business plan user, when I click Org setup in the Proton Calendar navbar, I'm asked for an organization name. After entering it and then my password, the flow fails: "security key sign-in isn't supported on the
calendar.proton.mesubdomain".Steps to reproduce
calendar.proton.me.Fix
A. Pre-check in
SrpAuthModalWhen
userSettingsindicates FIDO2-only 2FA on a non-account app, render a "Continue in Proton Account" redirect screen instead of the password form. Avoids letting the user submit a password that's destined to fail. A "Continue here anyway" escape hatch preserves the original flow for edge cases (e.g. admin signed in as sub-user) whereuserSettingsis misleading; the authoritative/auth/infocheck still runs on submit.This also covers
ChangeOrganizationPasswordModal,ChangeOrganizationKeysModal, and other admin actions usingunlockPasswordChanges()withscope="password".B. Gate in B2B Onboarding
Add a warning banner + Proton Account link above the org-name input, so the user doesn't invest time entering information in a place where it can't be saved.
Caveats