From e183b386a163b4610cc7a18eeebba8c3c9c89c5f Mon Sep 17 00:00:00 2001
From: Mike Mueller <mike.mueller@cstudio.ch>
Date: Fri, 1 May 2026 20:37:49 +0200
Subject: [PATCH] fix(admin): show TOTP prompt instead of redirecting on
 2fa-required login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The login form's hx-on::after-request redirected to /admin/ on any 2xx
response. The TOTP-required path also returns 2xx — with an HTML
fragment that unhides the TFA section — so the redirect fired before
the user ever saw the code input, locking out anyone who had enrolled
TOTP.

Only redirect when the 2xx body is empty (the real-login signal). When
the body is non-empty it's the prompt fragment, which htmx swaps into
#err and whose inline <script> reveals #tfa-section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 admin_ui/login.html | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/admin_ui/login.html b/admin_ui/login.html
index 7d1f0ac..3da90df 100644
--- a/admin_ui/login.html
+++ b/admin_ui/login.html
@@ -22,7 +22,15 @@
       hx-post="/admin/login"
       hx-target="#err"
       hx-swap="innerHTML"
-      hx-on::after-request="if (event.detail.successful) window.location.href = '/admin/'"
+      hx-on::after-request="
+        const xhr = event.detail.xhr;
+        if (event.detail.successful && (xhr.responseText || '').trim() === '') {
+          /* Empty 2xx body = real login. The TOTP-required path returns 2xx
+             with an HTML prompt fragment, which we MUST NOT redirect away
+             from. */
+          window.location.href = '/admin/';
+        }
+      "
     >
       <div>
         <label class="block text-xs font-medium text-slate-400 mb-1" for="username">Username</label>