showFlowAbortedNotice disables OTP boxes, Resend, Back, and Verify, but leaves the #recovery-link anchor fully interactive. Its own comment says "nothing the user does on the form has any effect from here on" — the recovery link violates that invariant. A user who clicks it will land on the recovery page, find the same dead PAR, trigger the abort notice there too, and take several extra steps to reach the OAuth client. The recovery-link is an <a> tag, so .disabled won't work; hiding it with style.display is consistent with every other dynamic visibility change in this IIFE (lines 905, 932, 981, 993).
🛠️ Proposed fix
var verifyBtn = document.querySelector('#form-verify-otp button[type=submit]');
if (verifyBtn) verifyBtn.disabled = true;
+ var recoveryLinkEl = document.getElementById('recovery-link');
+ if (recoveryLinkEl) recoveryLinkEl.style.display = 'none';
// Render the notice in the existing error banner so the
Consider adding an assertion to the 'disables every form control when the notice fires' test in login-page.test.ts once the fix is in.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/auth-service/src/routes/login-page.ts` around lines 790 - 820, The
showFlowAbortedNotice function currently disables OTP inputs and buttons but
leaves the `#recovery-link` anchor interactive; hide the recovery link instead of
trying to disable it so nothing remains clickable after abort. In
showFlowAbortedNotice (the function that sets flowAborted and disables otpBoxes,
btn-resend, btn-back, and the form submit), locate
document.getElementById('recovery-link') and set its style.display = 'none'
(consistent with other visibility changes in the IIFE) so the anchor is removed
from view/clickability when the abort notice is shown. Ensure the change is only
applied inside the flowAborted guard so the link remains available otherwise.
Originally posted by @coderabbitai[bot] in #154 (comment)
showFlowAbortedNoticedisables OTP boxes, Resend, Back, and Verify, but leaves the#recovery-linkanchor fully interactive. Its own comment says "nothing the user does on the form has any effect from here on" — the recovery link violates that invariant. A user who clicks it will land on the recovery page, find the same dead PAR, trigger the abort notice there too, and take several extra steps to reach the OAuth client. Therecovery-linkis an<a>tag, so.disabledwon't work; hiding it withstyle.displayis consistent with every other dynamic visibility change in this IIFE (lines 905, 932, 981, 993).🛠️ Proposed fix
var verifyBtn = document.querySelector('#form-verify-otp button[type=submit]'); if (verifyBtn) verifyBtn.disabled = true; + var recoveryLinkEl = document.getElementById('recovery-link'); + if (recoveryLinkEl) recoveryLinkEl.style.display = 'none'; // Render the notice in the existing error banner so theConsider adding an assertion to the
'disables every form control when the notice fires'test inlogin-page.test.tsonce the fix is in.🤖 Prompt for AI Agents
Originally posted by @coderabbitai[bot] in #154 (comment)