If you had an email associated with Google auth in the past and now have 2 factor you get stuck in a login loop

[samueljseay]

Impacted plugin

Jetpack

Quick summary

On wordpress.com I found myself in a login loop trying to authenticate/create a new account with google auth. I believe this is because that google email address used to be associated with it (it no longer is).

Steps to reproduce

This is probably not reproducable unless you once had a google email associated with an account. and I believe you may have to have 2fa enabled on your current account. But I've copied my repro steps below.

https://github.com/user-attachments/assets/bc1f1625-e287-4a18-b84a-f8461c8a35bc

0. ensure you're logged out of wordpress.com
1. Go to wordpress.com type in a domain to register
2. Select the one you want and click "continue"
3. Click "just buy a domain"
4. Click "continue with google"
5. Sign in to google account
6. Note the error
7. Click "login now" in error message
8. Try login with the email address used as before
9. Note that it says no account exists with that email address

A clear and concise description of what you expected to happen.

An account should be created so I can complete the purchase of the domain

What actually happened

An error is shown saying 2fa is enabled, the "login now" link goes to login page and when trying to login with that email address it says the account does not exist.

Impact

Some (< 50%)

Available workarounds?

No and the platform is unusable

Platform (Simple and/or Atomic)

No response

Logs or notes

Browser tested in desktop chrome and mobile brave.

[darssen]

Thanks for creating the issue @samueljseay

I can't view or Download the video, will you be able to upload again?

I'm also unable to reproduce with my account, but based on the comments it is expected.

@sergeymitr could you take a look at this one?

[samueljseay]

That's strange @darssen I can view the video on chrome/brave with a forced reload. I could reupload, but it seems like maybe a problem on your end?

[darssen]

That's strange @darssen I can view the video on chrome/brave with a forced reload. I could reupload, but it seems like maybe a problem on your end?

Chrome seems to work now well for me :man_shrugging:

[darssen]

This might be more in the dotcom realm, I asked in Slack to see if someone can take a look p1724247711419879-slack-C029GN3KD If that is the case we might need to close this one and open another ticket in the proper repo

[simison]

cc @Automattic/vertex this might be down to your wheelhouse

[escapemanuele]

Hey, we'll take a look!

[heavyweight]

I managed to reproduce this:

• Created a user with email from proton.
• Added gmail account to it
• Added 2fa
• Logged out
• Logged in with google and 2FA - everything OK
• Removed the google account
• Logged out and opened new incognito
• Followed the original steps

[heavyweight]

Actually the google email that I added, already had a WP account created 1 year ago. I think we should not allow accounts to be connected if that email was already assigned to a WordPress user. @samueljseay could this also be the case for you? Can you check on the network admin if that google email was already belonging to another WordPress user?

[samueljseay]

@heavyweight at one point it was belonging to my account but I changed it to another email address. So as far as I'm concerned it was no longer associated with a Wordpress user when I tried to use it.

[heavyweight]

Ensuring that I have unused gmail on WordPress I managed to reproduce something similar. My account for testing was a passwordless one, will try with another using a password since its a different code path.

Looking into fbhepr%2Skers%2Sjcpbz%2Sjc%2Qvapyhqrf%2Szf%2Qshapgvbaf.cuc%3Se%3Q7ps4qn45%23576-og I see that if an email was used for signup (logged in the signup table) we won't allow new registrations with it unless two days pass. I think its important to keep this for security reasons but we could definitely improve the error message to something like this:

Does this improvement makes sense for you @samueljseay ? Will check after 2 days to ensure that I can create an account with that email.

[samueljseay]

@heavyweight I'm not sure that relates to my issue, the gmail account was associated years ago.

Apart from that, I think this is improvement is useful yes :)

[heavyweight]

Noticed that we need to wait 60 days after a signup happens with an email to "unlock" it for future signups.

Dropping the diff here D161734-code for the next people in rotation

[donnapep]

Latest update as of October 8th is that we're waiting for feedback from Devops on D161734-code.

[davemart-in]

Removing Groundskeeper label since this has a solution in review.