Email verification broken for accounts with 2FA

[3ldor]

NodeBB version

v3.2.3

NodeBB git hash

b06d3e63cbdd0f00aed73dd8550221e5ee48ba2f

NodeJS version

v18.16.0

Installed NodeBB plugins

• nodebb-plugin-2factor@7.1.3 (installed, enabled)
• nodebb-plugin-composer-default@10.2.4 (installed, enabled)
• nodebb-plugin-dbsearch@6.1.0 (installed, enabled)
• nodebb-plugin-emoji@5.1.3 (installed, enabled)
• nodebb-plugin-emoji-android@4.0.0 (installed, enabled)
• nodebb-plugin-markdown@12.1.4 (installed, enabled)
• nodebb-plugin-mentions@4.2.0 (installed, enabled)
• nodebb-plugin-ntfy@1.0.15 (installed, disabled)
• nodebb-plugin-quickstart@0.3.1 (installed, disabled)
• nodebb-plugin-spam-be-gone@2.1.1 (installed, disabled)
• nodebb-rewards-essentials@0.2.3 (installed, enabled)
• nodebb-theme-harmony@1.0.65 (installed, enabled)
• nodebb-theme-lavender@7.1.1 (installed, disabled)
• nodebb-theme-peace@2.0.32 (installed, disabled)
• nodebb-theme-persona@13.1.8 (installed, disabled)
• nodebb-widget-essentials@7.0.13 (installed, enabled)

Database type

MongoDB

Database version

v6.0.4

Exact steps to cause this issue

1. Have the Require new users to specify an email address setting disabled
2. Register a new user (not verifying email), set up 2FA and logout
3. Enable the Require new users to specify an email address setting
4. Login with the new user (redirects to /register/complete)
5. Attempt to open verification link from email

What you expected

The email to be verified, and redirected to the home page.

What happened instead

Gets endlessly stuck at /register/complete, and the following error in console:

2023-08-09T21:26:48.264Z [4567/26040] - error: [plugins] Error executing 'static:sockets.validateSession' in plugin 'nodebb-plugin-2factor'
Error: [[2factor:second-factor-required]]
    at plugin.checkSocket (-snip-\NodeBB-3\node_modules\nodebb-plugin-2factor\library.js:377:9)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.fireStaticHook [as static] (-snip-\NodeBB-3\src\plugins\hooks.js:236:5)
    at async Hooks.fire (-snip-\NodeBB-3\src\plugins\hooks.js:132:17)
    at async validateSession (-snip-\NodeBB-3\src\socket.io\index.js:248:2)
    at async onConnect (-snip-\NodeBB-3\src\socket.io\index.js:109:3)

Anything else?

The bug seems to happen when a user that has configured 2FA previously (at a time when email verification wasn't required) tries to verify their email address, and their session hasn't passed 2FA, ie. session doesn't have tfa: true. This can happen very naturally if an old user attempts to login, finds their email is unverified on login and then tries to validate it.

It doesn't seem to happen when the user already has at least one verified email ('email:confirmed': 1), like when changing it, since the forum can be used like normal, and the 2FA prompt is shown on login, properly elevating the session. I'd assume the bug lies here, and that 2FA should be challenged before /register/complete.

Clicking the link in an unauthenticated session ironically works as expected, so that's a workaround until fixed 😁.

[julianlam]

Thanks for reporting! Nice edge case.

[julianlam]

v7.1.4