regression: no visual feedback on 2FA prompt

[nazabucciarelli]

Proposed changes (including videos or screenshots)

The bug consists of no visual feedback being given to the user when getting into the Device management page from settings and introducing a wrong TOTP code. In order to re-add the 'Invalid password' or 'Invalid two factor code' notices to the user when the code/password is wrong, we have to rollback the use of the invalidAttempt prop and pass it through the modal components. This invalidAttempt prop passthrough that makes possible the visual feedback was removed in #37049

Issue(s)

CORE-2210 [Regression] No visual feedback is provided when entering an incorrect TOTP code

Steps to test or reproduce

1- Setup a Rocket.Chat workspace with an EE.
2- Enable 2FA.
3- Go to Setting -> Device management. You will be prompted with a 2FA code.
4- Introduce a wrong code.

Expected: The dialog will show 'Invalid password' or 'Invalid two factor code' depending on the configured 2FA method.

Further comments

Introduced here #37049

Summary by CodeRabbit

• Bug Fixes
  • Two-factor modals now surface prior invalid attempts so an “invalid code/password” message appears after a failed try.
  • Input fields clear prior validation errors as the user types, ensuring retries reflect the current input and validation state.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5d0998a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed625329-422c-4eca-8350-ab45869ed06b

📥 Commits

Reviewing files that changed from the base of the PR and between b178c07 and 0fe5098.

📒 Files selected for processing (3)

• apps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsx
• apps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsx
• apps/meteor/client/lib/2fa/process2faReturn.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/meteor/client/lib/2fa/process2faReturn.ts
• apps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsx
• apps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsx

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build

---

Walkthrough

Threads an optional invalidAttempt flag from the invoker through the parent TwoFactorModal to TOTP, Email, and Password modals; each modal sets a translated validation error when the flag is true and clears it on user input. Also switches the TOTP wrapper to call the injected callAsync on code submission.

Changes

Invalid Two-Factor Attempt Error Handling

Layer / File(s)	Summary
Prop plumbing and parent modal forwarding apps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsx, apps/meteor/client/lib/2fa/process2faReturn.ts	TwoFactorModalProps gains optional invalidAttempt, TwoFactorModal destructures and forwards it to child modals, and invokeTwoFactorModal accepts and conditionally forwards the prop when rendering the modal.
Email modal invalid attempt handling apps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsx	TwoFactorEmailModal accepts invalidAttempt, imports useEffect, sets a manual code error with Invalid_two_factor_code translation when true, and clears that error on input changes.
TOTP modal invalid attempt handling apps/meteor/client/components/TwoFactorModal/TwoFactorTotpModal.tsx	TwoFactorTotpModal accepts invalidAttempt, imports useEffect, sets a manual code error with Invalid_two_factor_code translation when true, and clears that error on input changes.
Password modal invalid attempt handling apps/meteor/client/components/TwoFactorModal/TwoFactorPasswordModal.tsx	TwoFactorPasswordModal accepts invalidAttempt, imports useEffect, sets a manual password error with Invalid_password translation when true, and clears that error on input changes.
TOTP async call injection apps/meteor/client/meteor/overrides/totpOnCall.ts	withAsyncTOTP’s onCode branch now invokes the injected callAsync(methodName, ...args, { twoFactorCode, twoFactorMethod }) instead of calling Meteor.callAsync(...) directly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40679: Modifies client-side 2FA modal flow and invalidAttempt handling; code-level related changes to process2faReturn.ts and TwoFactor modal props.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'regression: no visual feedback on 2FA prompt' clearly summarizes the main change: fixing a regression related to missing visual feedback on two-factor authentication prompts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CORE-2210: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 54.83871% with 14 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-8.5.0@1bad98a). Learn more about missing BASE report.

Additional details and impacted files

@@               Coverage Diff                @@
##             release-8.5.0   #40649   +/-   ##
================================================
  Coverage                 ?   69.97%           
================================================
  Files                    ?     3327           
  Lines                    ?   126590           
  Branches                 ?    22007           
================================================
  Hits                     ?    88577           
  Misses                   ?    34726           
  Partials                 ?     3287           

Flag	Coverage Δ
e2e	59.27% <58.62%> (?)
e2e-api	46.15% <ø> (?)
unit	70.10% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ggazzo]

It would be very interesting to know the root cause. I changed some things in the two-factor and SDK, and it would be good to know what kinds of changes actually broke the problem.

[gabriellsh]

It would be very interesting to know the root cause. I changed some things in the two-factor and SDK, and it would be good to know what kinds of changes actually broke the problem.

@ggazzo I added the root cause PR to the description

[cubic-dev-ai]

No issues found across 5 files

_{Re-trigger cubic}

stale