security: prevent email enumeration on teacher login (#200)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sumnerevans

internal/teacherlogin.go

@@ -61,18 +61,14 @@ func (a *Application) HandleTeacherLogin(w http.ResponseWriter, r *http.Request)
 
 	teacher, err := a.DB.GetTeacherByEmail(r.Context(), emailAddress)
 	if err != nil {
-		log.Warn().Err(err).Msg("failed to find teacher by email")
-		a.TeacherLoginRenderer(w, r, map[string]any{
-			"Email":         emailAddress,
-			"EmailNotFound": true,
-		})
+		log.Warn().Err(err).Msg("failed to find teacher by email, redirecting without sending email")
+		http.SetCookie(w, &http.Cookie{Name: "email", Value: emailAddress, Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode})
+		http.Redirect(w, r, "/register/teacher/emaillogin", http.StatusSeeOther)
 		return
 	} else if !teacher.EmailConfirmed {
-		log.Warn().Err(err).Msg("teacher email not confirmed, not sending login code to avoid amplification attacks")
-		a.TeacherLoginRenderer(w, r, map[string]any{
-			"Email":             emailAddress,
-			"EmailNotConfirmed": true,
-		})
+		log.Warn().Msg("teacher email not confirmed, redirecting without sending email")
+		http.SetCookie(w, &http.Cookie{Name: "email", Value: emailAddress, Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode})
+		http.Redirect(w, r, "/register/teacher/emaillogin", http.StatusSeeOther)
 		return
 	}
 

website/templates/emaillogin.html

@@ -25,11 +25,13 @@ <h1>Email Login</h1>
     <div class="row">
       <div class="col m-4 text-center">
         <p>
-          We've sent an email to <b>{{ .Data.Email }}</b>.
+          If <b>{{ .Data.Email }}</b> has a confirmed account, we've sent a login link to that address.
         </p>
         <p style="font-size: 10em; line-height: 0;"><i class="fa fa-envelope-o"></i></p>
         <p>
-          Please check your email and click the link to log in.
+          Please check your email and click the link to log in. If you haven't confirmed your email
+          yet, check your inbox for the original confirmation email. Need help?
+          <a href="mailto:support@mineshspc.com">Contact support</a>.
         </p>
       </div>
     </div>

website/templates/teacherlogin.html

@@ -15,28 +15,9 @@ <h1>Login to Teacher Account</h1>
   <form method="post" action="/register/teacher/login" class="form-floating">
     <div class="row">
       <div class="col m-4 mb-0">
-        {{ with .Data.EmailNotFound }}
-          <div class="alert alert-danger" role="alert">
-            That email doesn't exist in our system. Did you want to
-            <a href="/register/teacher/createaccount">create an account</a> instead?
-          </div>
-        {{ else }}
-          {{ with .Data.EmailNotConfirmed }}
-            <div class="alert alert-danger" role="alert">
-              <p>
-                That email hasn't been confirmed yet. Please confirm your email before logging in.
-              </p>
-              <p>
-                Lost your confirmation email? Send an email to
-                <a href="mailto:support@mineshspc.com">support@mineshspc.com</a>.
-              </p>
-            </div>
-          {{ else }}
-            <div class="alert alert-secondary" role="alert">
-              Don't have an account? <a href="/register/teacher/createaccount">Create an account</a> instead.
-            </div>
-          {{ end }}
-        {{ end }}
+        <div class="alert alert-secondary" role="alert">
+          Don't have an account? <a href="/register/teacher/createaccount">Create an account</a> instead.
+        </div>
       </div>
     </div>
     <div class="row">