security: prevent email enumeration on teacher login

Previously the login form returned distinct errors for "email not found"
vs "email not confirmed", allowing enumeration of registered emails. Now
all outcomes redirect to the emaillogin page without revealing which
case applied. The unreachable EmailNotFound/EmailNotConfirmed template
blocks are removed from teacherlogin.html.

Update emaillogin.html text to reflect that a login link is only sent
if the account exists and is confirmed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sumnerevans

internal/teacherlogin.go

@@ -63,12 +63,12 @@ func (a *Application) HandleTeacherLogin(w http.ResponseWriter, r *http.Request)
 	if err != nil {
 		log.Warn().Err(err).Msg("failed to find teacher by email, redirecting without sending email")
 		http.SetCookie(w, &http.Cookie{Name: "email", Value: emailAddress, Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode})
-		http.Redirect(w, r, "/register/teacher/confirmemail", http.StatusSeeOther)
+		http.Redirect(w, r, "/register/teacher/emaillogin", http.StatusSeeOther)
 		return
 	} else if !teacher.EmailConfirmed {
 		log.Warn().Msg("teacher email not confirmed, redirecting without sending email")
 		http.SetCookie(w, &http.Cookie{Name: "email", Value: emailAddress, Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode})
-		http.Redirect(w, r, "/register/teacher/confirmemail", http.StatusSeeOther)
+		http.Redirect(w, r, "/register/teacher/emaillogin", http.StatusSeeOther)
 		return
 	}
 
@@ -99,6 +99,6 @@ func (a *Application) HandleTeacherLogin(w http.ResponseWriter, r *http.Request)
 	} else {
 		log.Info().Msg("sent email")
 		http.SetCookie(w, &http.Cookie{Name: "email", Value: emailAddress, Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode})
-		http.Redirect(w, r, "/register/teacher/confirmemail", http.StatusSeeOther)
+		http.Redirect(w, r, "/register/teacher/emaillogin", http.StatusSeeOther)
 	}
 }

website/templates/confirmemail.html

@@ -24,15 +24,17 @@ <h1>Confirm Email</h1>
     <div class="row">
       <div class="col m-4 text-center">
         <p>
-          If <b>{{ .Data.Email }}</b> has a confirmed account, we've sent a login link to that address.
+          We've sent an email to <b>{{ .Data.Email }}</b>.
         </p>
         <p style="font-size: 10em; line-height: 0;"><i class="fa fa-envelope-o"></i></p>
         <p>
-          Please check your email and click the link to log in.
+          Please check your email and click the link to confirm your email address and log in.
         </p>
         <p>
-          If you haven't confirmed your email yet, check your inbox for the original confirmation email.
-          If you need help, <a href="mailto:support@mineshspc.com">contact support</a>.
+          <b>
+            You must confirm your email now, or you will have to contact the Mines HSPC team to get
+            your account activated.
+          </b>
         </p>
       </div>
     </div>

website/templates/emaillogin.html

@@ -25,11 +25,13 @@ <h1>Email Login</h1>
     <div class="row">
       <div class="col m-4 text-center">
         <p>
-          We've sent an email to <b>{{ .Data.Email }}</b>.
+          If <b>{{ .Data.Email }}</b> has a confirmed account, we've sent a login link to that address.
         </p>
         <p style="font-size: 10em; line-height: 0;"><i class="fa fa-envelope-o"></i></p>
         <p>
-          Please check your email and click the link to log in.
+          Please check your email and click the link to log in. If you haven't confirmed your email
+          yet, check your inbox for the original confirmation email. Need help?
+          <a href="mailto:support@mineshspc.com">Contact support</a>.
         </p>
       </div>
     </div>