Unable to confirm new email when two factor backup codes are enabled

When two factor backup codes are enabled, confirming a new email address fails with this error:

Oops

The software powering this discussion forum encountered an unexpected problem. We apologize for the inconvenience.

Detailed information about the error was logged, and an automatic notification generated. We'll take a look at it.

No further action is necessary. However, if the error condition persists, you can provide additional detail, including steps to reproduce the error, by posting a discussion topic in the site's feedback category.

This happens across multiple Discourse setups, so, isn’t specific to one.

Turning off the two factor backup codes feature resolves the issue, and email verification goes through fine.

Full steps to reproduce the issue:

• Start with an account on any Discourse (can use https://try.discourse.org/ for testing)
• Setup 2FA with TOTP (I have not tested with physical security keys)
• Change email on your account
• Click on verification email sent to the new email inbox. Notice that the verification goes through.
• Enable two factor backup codes on your 2FA settings.
• Change email on account again.
• Click on verification email sent to the newest email inbox. Notice that the verification fails with the error noted earlier.
• Turn off two factor backup codes.
• Change email again.
• Click on the verification email sent to the newest address.
• You will be asked to enter the TOTP code.
• This time the verification of the newest email goes through fine.

Did you check /logs in your web browser when logged in as an admin to see what the actual error is? I think we would have seen this on our sites if it was an actual bug.

Also, is this with security keys, or totp tokens? Regardless, we will need specific reproduction steps here (either in a dev environment, or try.discourse.org) so we can confirm.

Just to chip in, it doesn’t look like there were any relevant logged errors over at Caddy’s forums.

Thanks for interlinking the threads!

Good point. This turns out to be an issue only when two factor backup codes are enabled. I have updated the post with the new details and steps to reproduce.

How do we feel about these repro steps @tshenry? The sequence seems a bit odd to me.

I didn’t mean to say that the email needs to be updated multiple times. It’s to indicate that the email verification fails only when backup codes are enabled, and not otherwise.

There’s definitely a bug here. To refine repro steps a bit:

1. Setup 2FA with TOTP
2. Enable backup codes
3. Change email address
4. Select the verification link in the confirmation email
5. Get hit with the “Oops” page

I can confirm that disabling the backup codes will immediately fix the issue, even when using the same email verification link.

Error log shows:

ActionView::Template::Error (Missing partial common/_second_factor_form_script with {:locale=>[:en_US, :en], :formats=>[:html], :variants=>[], :handlers=>[:raw, :erb, :html, :builder, :ruby]}. Searched in:
  * "/var/www/discourse/app/views"
)
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/actionview-6.0.1/lib/action_view/path_set.rb:48:in `find'

Which I believe relates to this line here: https://github.com/discourse/discourse/blob/master/app/views/users_email/confirm.html.erb#L36

That references a file that is indeed missing: https://github.com/discourse/discourse/tree/master/app/views/common

Thanks @arun — we should get this fixed @eviltrout

This has been fixed via this commit:

https://github.com/discourse/discourse/commit/3b16eb7abb2986132d3f7fdfe36d1d21e0d650bb