Get rid of the "Enroll in multi-factor authentication" screen on email verification

[alexwlchan]

When users verify their email address, they're briefly taken to https://account.wellcomecollection.org/u/email-verification?ticket=[…] which shows the message "Enroll in multi-factor authentication"

What's up with that? We shouldn't be showing them that.

Note: although this behaviour is now fixed, it's a hacky workaround. I'm leaving this ticket open to track fixing it "properly".

[alexwlchan]

I was hoping to use a0deploy to get a dump of all our config, find out where (if anywhere) this is configured. But it seems unhappy with me:

$ a0deploy export -c config.json -f yaml -o .
2022-08-17T08:18:20.745Z - error: Problem running command export
2022-08-17T08:18:20.745Z - error: {"error":"access_denied","error_description":"Service not enabled within domain: https://stage.account.wellcomecollection.org/api/v2/"}

[alexwlchan]

Notably: this is much faster on subsequent verifications. Could it be related to the Sierra database verify script? 🤔

[alexwlchan]

I managed to get a dump of the config using a token from the Auth0 Management API Explorer, but I can't see the word "Enroll" anywhere in the output – so I don't think it's something we've configured.

[alexwlchan]

I had a go at customising all the text in the email-verification prompts, using the list from https://auth0.com/docs/customize/universal-login-pages/universal-login-page-templates

{
  "email-verification-result": {
    "pageTitle": "@@AWLC pageTitle",
    "verifiedTitle": "@@AWLC pageTitle",
    "errorTitle": "@@AWLC errorTitle",
    "alreadyVerifiedDescription": "@@AWLC alreadyVerifiedDescription",
    "invalidAccountOrCodeDescription": "@@AWLC invalidAccountOrCodeDescription",
    "unknownErrorDescription": "@@AWLC unknownErrorDescription",
    "buttonText": "@@AWLC buttonText",
    "auth0-users-expired-ticket": "@@AWLC auth0-users-expired-ticket",
    "custom-script-error-code": "@@AWLC custom-script-error-code",
    "auth0-users-used-ticket": "@@AWLC auth0-users-used-ticket",
    "auth0-users-validation": "@@AWLC auth0-users-validation",
    "verifiedDescription": "Thank you for verifying your email address. The library team will review your application and will confirm your membership within the next 72 hours."
  }
}

but I still get the same error. 🤔

[alexwlchan]

I also can't find this string anywhere on Google or the Auth0 documentation; I have no idea where it comes from. :|

[alexwlchan]

Aha, I got a workaround.

Previously I've been unable to inspect the page properly, because it appears in a browser then blinks away almost immediately. But today I ran the following command:

$ curl -v 'https://stage.account.wellcomecollection.org/u/email-verification?ticket=wprWzdbIiLWhVZfKzSv7ZMvCIthu3vh5' > email-verification.html

which saved the page to a local HTML file (attached to this comment).

email-verification.html

```html

Enroll in multi-factor authentication

Click Continue to Verify Your Email

Continue

```

This is the interesting bit:

        <!-- Here we need to show the description message -->
        <h1>Enroll in multi-factor authentication</h1>

which matches part of our universal-login template.

This does two things:

1. It gives us a workaround; we can replace that message with text that we control
2. We know this is coming from inside the Universal Login flow

I am going to ask about this in the Auth0 forums, but in the meantime we're less likely to confuse users.

[alexwlchan]

I've started a thread in the Auth0 support forums to ask what's going on here, in the hope somebody else knows more than me: https://community.auth0.com/t/why-do-users-see-a-brief-enroll-in-multi-factor-authentication-screen-during-email-verification/89145

[alexwlchan]

I'm going to remove this card from the board because it's "fixed" by merging https://github.com/wellcomecollection/identity/pull/376, but it's a hacky fix. I'm going to leave this ticket open to track understanding the underlying issue and fixing it properly, possibly using the Auth0 forum post above.

[rcantin-w]

The Auth0 thread went dead and I don't think this has been raised since either. As it's got a fix in place, I'm thinking we close and unarchive should we want to look into it again.