security: prevent email enumeration on teacher login

Previously, the login form returned distinct error messages for
"email not found" vs "email not confirmed", allowing attackers to
enumerate registered emails. Now both failure cases silently redirect
to the same "check your email" page without sending an email, identical
to the success response. The distinction is only logged server-side.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sumnerevans

internal/teacherlogin.go

@@ -61,18 +61,14 @@ func (a *Application) HandleTeacherLogin(w http.ResponseWriter, r *http.Request)
 
 	teacher, err := a.DB.GetTeacherByEmail(r.Context(), emailAddress)
 	if err != nil {
-		log.Warn().Err(err).Msg("failed to find teacher by email")
-		a.TeacherLoginRenderer(w, r, map[string]any{
-			"Email":         emailAddress,
-			"EmailNotFound": true,
-		})
+		log.Warn().Err(err).Msg("failed to find teacher by email, redirecting without sending email")
+		http.SetCookie(w, &http.Cookie{Name: "email", Value: emailAddress, Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode})
+		http.Redirect(w, r, "/register/teacher/emaillogin", http.StatusSeeOther)
 		return
 	} else if !teacher.EmailConfirmed {
-		log.Warn().Err(err).Msg("teacher email not confirmed, not sending login code to avoid amplification attacks")
-		a.TeacherLoginRenderer(w, r, map[string]any{
-			"Email":             emailAddress,
-			"EmailNotConfirmed": true,
-		})
+		log.Warn().Msg("teacher email not confirmed, redirecting without sending email")
+		http.SetCookie(w, &http.Cookie{Name: "email", Value: emailAddress, Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode})
+		http.Redirect(w, r, "/register/teacher/emaillogin", http.StatusSeeOther)
 		return
 	}
 

website/templates/teacherlogin.html

@@ -15,28 +15,9 @@ <h1>Login to Teacher Account</h1>
   <form method="post" action="/register/teacher/login" class="form-floating">
     <div class="row">
       <div class="col m-4 mb-0">
-        {{ with .Data.EmailNotFound }}
-          <div class="alert alert-danger" role="alert">
-            That email doesn't exist in our system. Did you want to
-            <a href="/register/teacher/createaccount">create an account</a> instead?
-          </div>
-        {{ else }}
-          {{ with .Data.EmailNotConfirmed }}
-            <div class="alert alert-danger" role="alert">
-              <p>
-                That email hasn't been confirmed yet. Please confirm your email before logging in.
-              </p>
-              <p>
-                Lost your confirmation email? Send an email to
-                <a href="mailto:support@mineshspc.com">support@mineshspc.com</a>.
-              </p>
-            </div>
-          {{ else }}
-            <div class="alert alert-secondary" role="alert">
-              Don't have an account? <a href="/register/teacher/createaccount">Create an account</a> instead.
-            </div>
-          {{ end }}
-        {{ end }}
+        <div class="alert alert-secondary" role="alert">
+          Don't have an account? <a href="/register/teacher/createaccount">Create an account</a> instead.
+        </div>
       </div>
     </div>
     <div class="row">