From 3b16eb7abb2986132d3f7fdfe36d1d21e0d650bb Mon Sep 17 00:00:00 2001
From: Blake Erickson <o.blakeerickson@gmail.com>
Date: Thu, 14 Nov 2019 16:19:23 -0700
Subject: [PATCH] FIX: Confirm new email with backup codes enabled

This is a fix for this bug:

https://meta.discourse.org/t/-/133185?u=blake

where rails would throw a missing template error when trying to confirm
a new email address when you had two factor backup codes enabled.

Apparently this feature broke during this commit:

68d35b14f4b5193c1bae0f175b9e461152e13ac7

when a partial that contained a lot of javascript was removed most
likely because it didn't comply with our Content Security Policy, so as
a fix I rewrote the previous js functionality without using any
javascript and then added a spec to verify that the correct backup code
form is displayed when that page is loaded.
---
 app/views/users_email/confirm.html.erb       | 32 +++++++++++---------
 spec/requests/users_email_controller_spec.rb | 11 +++++++
 2 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/app/views/users_email/confirm.html.erb b/app/views/users_email/confirm.html.erb
index 0f236a1992f..69d63eecce7 100644
--- a/app/views/users_email/confirm.html.erb
+++ b/app/views/users_email/confirm.html.erb
@@ -8,21 +8,26 @@
     <br>
     <a class="btn" href="/"><%= t('change_email.please_continue', site_name: SiteSetting.title) %></a>
   <% elsif @update_result == :invalid_second_factor%>
-    <div id="primary-second-factor-form">
-      <h2><%= t('login.second_factor_title') %></h2>
-      <br>
-      <%=form_tag({}, method: :put) do %>
-        <%= label_tag(:second_factor_token, t('login.second_factor_description')) %>
-        <div><%= render 'common/second_factor_text_field' %></div>
-        <% if @show_invalid_second_factor_error %>
-          <div class='alert alert-error'><%= t('login.invalid_second_factor_code') %></div>
+    <% if !params[:show_backup] || params[:show_backup] == "false" %>
+      <div id="primary-second-factor-form">
+        <h2><%= t('login.second_factor_title') %></h2>
+        <br>
+        <%=form_tag({}, method: :put) do %>
+          <%= label_tag(:second_factor_token, t('login.second_factor_description')) %>
+          <div><%= render 'common/second_factor_text_field' %></div>
+          <% if @show_invalid_second_factor_error %>
+            <div class='alert alert-error'><%= t('login.invalid_second_factor_code') %></div>
+          <% end %>
+          <%= submit_tag t('submit'), class: "btn btn-primary" %>
         <% end %>
-        <%= submit_tag t('submit'), class: "btn btn-primary" %>
+      </div>
+      <% if @backup_codes_enabled %>
+        <%= link_to t("login.second_factor_toggle.backup_code"), show_backup: "true" %>
       <% end %>
-    </div>
+    <% end %>
 
-    <%if @backup_codes_enabled %>
-      <div id="backup-second-factor-form" style="display: none">
+    <% if @backup_codes_enabled && params[:show_backup] == "true" %>
+      <div id="backup-second-factor-form" style="">
         <h2><%= t('login.second_factor_backup_title') %></h2>
         <br>
         <%= form_tag({}, method: :put) do%>
@@ -32,8 +37,7 @@
         <%end%>
 
       </div>
-      <a href id="toggle-form"><%=t "login.second_factor_backup" %></a>
-      <%= render 'common/second_factor_form_script' %>
+      <%= link_to t("login.second_factor_toggle.totp"), show_backup: "false" %>
     <%end%>
   <% else %>
     <div class='alert alert-error'>
diff --git a/spec/requests/users_email_controller_spec.rb b/spec/requests/users_email_controller_spec.rb
index 7987ffd33cb..d2512e08d5c 100644
--- a/spec/requests/users_email_controller_spec.rb
+++ b/spec/requests/users_email_controller_spec.rb
@@ -74,6 +74,7 @@ describe UsersEmailController do
 
       context 'second factor required' do
         fab!(:second_factor) { Fabricate(:user_second_factor_totp, user: user) }
+        fab!(:backup_code) { Fabricate(:user_second_factor_backup, user: user) }
 
         it 'requires a second factor token' do
           get "/u/authorize-email/#{user.email_tokens.last.token}"
@@ -86,6 +87,16 @@ describe UsersEmailController do
           expect(response_body).not_to include(I18n.t("login.invalid_second_factor_code"))
         end
 
+        it 'requires a backup token' do
+          get "/u/authorize-email/#{user.email_tokens.last.token}?show_backup=true"
+
+          expect(response.status).to eq(200)
+
+          response_body = response.body
+
+          expect(response_body).to include(I18n.t("login.second_factor_backup_title"))
+        end
+
         it 'adds an error on a second factor attempt' do
           get "/u/authorize-email/#{user.email_tokens.last.token}", params: {
             second_factor_token: "000000",