search

Automattic / wp-calypso

The JavaScript and API powered WordPress.com
https://developer.wordpress.com
GNU General Public License v2.0
12.42k stars 1.99k forks source link

If you had an email associated with Google auth in the past and now have 2 factor you get stuck in a login loop #93873

Open samueljseay opened 2 months ago

samueljseay commented 2 months ago

Impacted plugin

Jetpack

Quick summary

On wordpress.com I found myself in a login loop trying to authenticate/create a new account with google auth. I believe this is because that google email address used to be associated with it (it no longer is).

Steps to reproduce

This is probably not reproducable unless you once had a google email associated with an account. and I believe you may have to have 2fa enabled on your current account. But I've copied my repro steps below.

https://github.com/user-attachments/assets/bc1f1625-e287-4a18-b84a-f8461c8a35bc

  1. ensure you're logged out of wordpress.com
  2. Go to wordpress.com type in a domain to register
  3. Select the one you want and click "continue"
  4. Click "just buy a domain"
  5. Click "continue with google"
  6. Sign in to google account
  7. Note the error
  8. Click "login now" in error message
  9. Try login with the email address used as before
  10. Note that it says no account exists with that email address

A clear and concise description of what you expected to happen.

An account should be created so I can complete the purchase of the domain

What actually happened

An error is shown saying 2fa is enabled, the "login now" link goes to login page and when trying to login with that email address it says the account does not exist.

Impact

Some (< 50%)

Available workarounds?

No and the platform is unusable

Platform (Simple and/or Atomic)

No response

Logs or notes

Browser tested in desktop chrome and mobile brave.

darssen commented 2 months ago

Thanks for creating the issue @samueljseay

I can't view or Download the video, will you be able to upload again?

I'm also unable to reproduce with my account, but based on the comments it is expected.

@sergeymitr could you take a look at this one?

samueljseay commented 2 months ago

That's strange @darssen I can view the video on chrome/brave with a forced reload. I could reupload, but it seems like maybe a problem on your end?

darssen commented 2 months ago

That's strange @darssen I can view the video on chrome/brave with a forced reload. I could reupload, but it seems like maybe a problem on your end?

Chrome seems to work now well for me :man_shrugging:

darssen commented 1 month ago

This might be more in the dotcom realm, I asked in Slack to see if someone can take a look p1724247711419879-slack-C029GN3KD If that is the case we might need to close this one and open another ticket in the proper repo

simison commented 1 month ago

cc @Automattic/vertex this might be down to your wheelhouse

escapemanuele commented 1 month ago

Hey, we'll take a look!

heavyweight commented 1 month ago

I managed to reproduce this:

heavyweight commented 1 month ago

Actually the google email that I added, already had a WP account created 1 year ago. I think we should not allow accounts to be connected if that email was already assigned to a WordPress user. @samueljseay could this also be the case for you? Can you check on the network admin if that google email was already belonging to another WordPress user?

samueljseay commented 4 weeks ago

@heavyweight at one point it was belonging to my account but I changed it to another email address. So as far as I'm concerned it was no longer associated with a Wordpress user when I tried to use it.

heavyweight commented 4 weeks ago

Ensuring that I have unused gmail on WordPress I managed to reproduce something similar. My account for testing was a passwordless one, will try with another using a password since its a different code path.

Screenshot 2024-09-18 at 11 15 36

Looking into fbhepr%2Skers%2Sjcpbz%2Sjc%2Qvapyhqrf%2Szf%2Qshapgvbaf.cuc%3Se%3Q7ps4qn45%23576-og I see that if an email was used for signup (logged in the signup table) we won't allow new registrations with it unless two days pass. I think its important to keep this for security reasons but we could definitely improve the error message to something like this:

Screenshot 2024-09-18 at 11 13 59

Does this improvement makes sense for you @samueljseay ? Will check after 2 days to ensure that I can create an account with that email.

samueljseay commented 4 weeks ago

@heavyweight I'm not sure that relates to my issue, the gmail account was associated years ago.

Apart from that, I think this is improvement is useful yes :)

heavyweight commented 3 weeks ago

Noticed that we need to wait 60 days after a signup happens with an email to "unlock" it for future signups.

Dropping the diff here D161734-code for the next people in rotation

donnapep commented 1 week ago

Latest update as of October 8th is that we're waiting for feedback from Devops on D161734-code.

davemart-in commented 3 days ago

Removing Groundskeeper label since this has a solution in review.