Skip to content

Avoid security-key dead-end on re-auth in non-account apps#501

Open
Sea-n wants to merge 2 commits into
ProtonMail:mainfrom
Sea-n:org-setup-2fa
Open

Avoid security-key dead-end on re-auth in non-account apps#501
Sea-n wants to merge 2 commits into
ProtonMail:mainfrom
Sea-n:org-setup-2fa

Conversation

@Sea-n
Copy link
Copy Markdown

@Sea-n Sea-n commented May 2, 2026

As a new Business plan user, when I click Org setup in the Proton Calendar navbar, I'm asked for an organization name. After entering it and then my password, the flow fails: "security key sign-in isn't supported on the calendar.proton.me subdomain".

Steps to reproduce

  1. Use a new org account (no org name yet).
  2. Set up a security key, leaving TOTP unused.
  3. Open calendar.proton.me.
  4. Click Org setup in the navbar.
  5. Enter any org name and submit.
  6. Enter your password and submit.
  7. Error: "Security key sign-in is not supported on this application, please use https://account.proton.me".

Fix

A. Pre-check in SrpAuthModal

When userSettings indicates FIDO2-only 2FA on a non-account app, render a "Continue in Proton Account" redirect screen instead of the password form. Avoids letting the user submit a password that's destined to fail. A "Continue here anyway" escape hatch preserves the original flow for edge cases (e.g. admin signed in as sub-user) where userSettings is misleading; the authoritative /auth/info check still runs on submit.

This also covers ChangeOrganizationPasswordModal, ChangeOrganizationKeysModal, and other admin actions using unlockPasswordChanges() with scope="password".

B. Gate in B2B Onboarding

Add a warning banner + Proton Account link above the org-name input, so the user doesn't invest time entering information in a place where it can't be saved.

Caveats

  • I couldn't figure out how to remove my own org name on production once it's set, so I'm unable to reproduce the exact original flow again or capture before/after screenshots.
  • I haven't set up the project locally, so to be honest I haven't actually run this; code-wise LGTM, but it needs someone with a working dev environment to verify the behavior end-to-end.

Sea-n added 2 commits May 2, 2026 13:07
@Sea-n
Detect FIDO2-only re-auth dead-end before password prompt
bf9fb99 
On non-account apps (calendar, mail, drive), users whose only 2FA
factor is a security key cannot complete a `password` scope re-auth:
SrpAuthModal accepts the password and then fails with "Security key
sign-in is not supported on this application", forcing the user to
restart on account.proton.me.

Add `getRequiresAccountAppForTwoFactor` and use it in SrpAuthModal to
detect this case from userSettings before the password form renders.
The modal now shows a "Continue in Proton Account" redirect screen
instead, with a "Continue here anyway" escape hatch for cases where
userSettings is misleading (e.g. admin signed in as sub-user) — the
authoritative `/auth/info` check still runs on submit.
@Sea-n
Warn during B2B org setup when re-auth requires Proton Account
6e71a12 
The org-name step in B2B onboarding triggers a password re-auth, which
dead-ends on non-account apps for users whose only 2FA factor is a
security key. Surface the constraint with a warning banner and a
"Continue in Proton Account" link above the org-name input, so the
user can switch over before filling in the form.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Sea-n