fix(experience): hide MFA back button after one-time token sign-in#8921
Merged
Conversation
When users sign in via a magic link, the token is consumed before MFA setup. Navigating back retries verification and fails with token_consumed. Track one-time token sign-in in session storage and hide the back control on MFA setup screens until the interaction completes. Co-authored-by: wangsijie <sijiewg@gmail.com>
COMPARE TO
|
| Name | Diff |
|---|---|
| packages/experience/src/hooks/use-mfa-error-handler.ts | 📈 +11 Bytes |
| packages/experience/src/hooks/use-send-mfa-verification-code.ts | 📈 +166 Bytes |
| packages/experience/src/pages/OneTimeToken/index.tsx | 📈 +52 Bytes |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the one-time token MFA setup flow by hiding MFA back navigation so users cannot navigate back to a consumed magic-link token page.
Changes:
- Adds a
hideBackflag to MFA flow state validation. - Persists one-time-token sign-in state in session storage and clears it with interaction session storage.
- Applies MFA back-navigation hiding across MFA setup pages.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
packages/experience/src/types/guard.ts |
Extends MFA state guard with hideBack. |
packages/experience/src/types/guard.test.ts |
Adds guard coverage for hideBack. |
packages/experience/src/Providers/UserInteractionContextProvider/index.tsx |
Clears the one-time-token flag with interaction storage. |
packages/experience/src/pages/OneTimeToken/index.tsx |
Sets the one-time-token sign-in flag after token verification. |
packages/experience/src/pages/MfaOnboarding/index.tsx |
Hides navbar when MFA back navigation should be hidden. |
packages/experience/src/pages/MfaBinding/index.tsx |
Hides navbar on MFA factor selection. |
packages/experience/src/pages/MfaBinding/TotpBinding/index.tsx |
Hides navbar on TOTP binding. |
packages/experience/src/pages/MfaBinding/WebAuthnBinding/index.tsx |
Hides navbar on WebAuthn binding. |
packages/experience/src/pages/MfaBinding/VerificationCodeMfaBinding/index.tsx |
Hides navbar on verification-code MFA binding. |
packages/experience/src/hooks/use-should-hide-mfa-back-navigation.ts |
Adds shared hook for MFA back-navigation visibility. |
packages/experience/src/hooks/use-session-storages.ts |
Adds storage key and guard for one-time-token sign-in state. |
packages/experience/src/hooks/use-mfa-error-handler.ts |
Passes hide-back state into MFA redirects. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Hiding nav bar also hides MFA skip button
- Added isBackHidden to NavBar to hide only the back button while keeping the skip button visible on MFA pages.
You can send follow-ups to the cloud agent here.
Add isBackHidden to NavBar so one-time token flows can hide back navigation without removing the skip button from SecondaryPageLayout. Co-authored-by: wangsijie <sijiewg@gmail.com>
simeng-li
reviewed
Jun 1, 2026
…ime token sign-in Apply useShouldHideMfaBackNavigation to all MFA verification pages so users signing in via one-time token cannot navigate back to the consumed token page. Co-authored-by: wangsijie <sijiewg@gmail.com>
…routes Remove the OneTimeTokenSignIn sessionStorage flag when the user leaves one-time-token and MFA routes so a later password sign-in does not incorrectly hide the MFA back button. Co-authored-by: wangsijie <sijiewg@gmail.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Reviewed by Cursor Bugbot for commit 8041d9c. Configure here.
…back - Hide only the back control via isBackHidden; keep skip visible - Remove redundant hideBack MFA flow state; rely on session flag only - Stringify scalar session storage values for TypeScript compatibility - Clear stale one-time token flag outside OTT/MFA routes safely in tests
charIeszhao
reviewed
Jun 1, 2026
Member
charIeszhao
left a comment
charIeszhao
left a comment
There was a problem hiding this comment.
I think we can simplify this by removing the consumed one-time-token page from the browser history instead of tracking a separate one-time-token MFA state.
Address PR review feedback by removing the sessionStorage flag and isBackHidden plumbing. Instead, pass replace: true from the one-time token page through useSubmitInteractionErrorHandler so profile and MFA redirects remove the consumed token page from the browser history. Also thread replace through useSendMfaVerificationCode for email/phone MFA verification redirects from the one-time token flow. Co-authored-by: wangsijie <sijiewg@gmail.com>
charIeszhao
approved these changes
Jun 1, 2026
Member
charIeszhao
left a comment
charIeszhao
left a comment
There was a problem hiding this comment.
LGTM. The updated approach replaces the consumed one-time-token landing page in browser history and threads replace through the email/phone MFA verification redirect path, so the original back-navigation issue is addressed without the sessionStorage flag or per-page back hiding.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #8841.
When users sign in with a one-time token (magic link) and are prompted to set up or verify MFA, navigating back could return to the consumed token page and trigger
one_time_token.token_consumed.This change removes the one-time token landing page from the browser history when redirecting to profile completion or MFA flows, so back navigation (in-app, browser, or hardware) no longer re-runs token verification.
Changes
replace: truetouseSubmitInteractionErrorHandleron the one-time token page so profile and MFA redirects replace the token page in historyreplacethroughuseSendMfaVerificationCodefor email/phone MFA verification redirects from the one-time token flowTesting
Tested locally