✨ Added One-Time-Code flow to member sign-in (#25187)

closes https://linear.app/ghost/issue/BER-2520/

- Portal's sign-in flow will now include a one-time-code (OTC) in emails and display a code input form after submitting the standard email sign-in form
  - OTC usage is optional for members, magic links are still included alongside the code
  - reduces sign-in friction in scenarios such as in-app browsers
- custom sign-in forms can opt in to the same OTC flow by adding a `data-members-otc=true"`
  - in this scenario, Portal will open the code input modal once a member submits their email in the custom form

Author: kevinansfield

apps/admin-x-settings/src/components/settings/advanced/labs/PrivateFeatures.tsx

@@ -27,14 +27,6 @@ const features: Feature[] = [{
     title: 'Explore',
     description: 'Enables keeping in touch with the new Explore API',
     flag: 'explore'
-}, {
-    title: 'Members sign-in OTC (private beta)',
-    description: 'Enables one-time codes alongside magic links for members signin',
-    flag: 'membersSigninOTC'
-}, {
-    title: 'Members sign-in OTC (internal alpha)',
-    description: 'Testing changes to members sign-in OTC prior to private beta release',
-    flag: 'membersSigninOTCAlpha'
 }, {
     title: 'Tags X',
     description: 'Enables the new Tags UI',

apps/portal/src/actions.js

@@ -79,21 +79,17 @@ async function signout({api, state}) {
 }
 
 async function signin({data, api, state}) {
-    const {labs} = state;
-
-    const includeOTC = labs?.membersSigninOTC ? true : undefined;
-
     try {
         const integrityToken = await api.member.getIntegrityToken();
         const payload = {
             ...data,
             emailType: 'signin',
             integrityToken,
-            ...(includeOTC ? {includeOTC: true} : {})
+            includeOTC: true
         };
         const response = await api.member.sendMagicLink(payload);
 
-        if (includeOTC && response?.otc_ref) {
+        if (response?.otc_ref) {
             return {
                 page: 'magiclink',
                 lastPage: 'signin',

apps/portal/src/components/pages/MagicLinkPage.js

@@ -222,10 +222,10 @@ export default class MagicLinkPage extends React.Component {
     }
 
     renderOTCForm() {
-        const {action, actionErrorMessage, labs, otcRef} = this.context;
+        const {action, actionErrorMessage, otcRef} = this.context;
         const errors = this.state.errors || {};
 
-        if (!labs?.membersSigninOTC || !otcRef) {
+        if (!otcRef) {
             return null;
         }
 
@@ -281,8 +281,8 @@ export default class MagicLinkPage extends React.Component {
     }
 
     render() {
-        const {labs, otcRef} = this.context;
-        const showOTCForm = labs?.membersSigninOTC && otcRef;
+        const {otcRef} = this.context;
+        const showOTCForm = !!otcRef;
 
         return (
             <div className='gh-portal-content'>

apps/portal/src/components/pages/MagicLinkPage.test.js

@@ -6,7 +6,7 @@ const OTC_ERROR_REGEX = /Enter code/i;
 
 const setupTest = (options = {}) => {
     const {
-        labs = {membersSigninOTC: false},
+        labs = {},
         otcRef = null,
         action = 'init:success',
         ...contextOverrides
@@ -33,7 +33,7 @@ const setupTest = (options = {}) => {
 // Helper for OTC-enabled tests
 const setupOTCTest = (options = {}) => {
     return setupTest({
-        labs: {membersSigninOTC: true},
+        labs: {},
         otcRef: 'test-otc-ref',
         ...options
     });
@@ -77,7 +77,7 @@ describe('MagicLinkPage', () => {
     });
 
     describe('OTC form conditional rendering', () => {
-        test('renders OTC form when lab flag enabled and otcRef exists', () => {
+        test('renders OTC form when otcRef exists', () => {
             const utils = setupOTCTest();
 
             expect(utils.getByLabelText(OTC_LABEL_REGEX)).toBeInTheDocument();
@@ -86,9 +86,7 @@ describe('MagicLinkPage', () => {
 
         test('does not render OTC form when conditions not met', () => {
             const scenarios = [
-                {labs: {membersSigninOTC: false}, otcRef: 'test-ref'},
-                {labs: {membersSigninOTC: true}, otcRef: null},
-                {labs: {membersSigninOTC: false}, otcRef: null}
+                {labs: {}, otcRef: null}
             ];
 
             scenarios.forEach(({labs, otcRef}) => {
@@ -313,9 +311,9 @@ describe('MagicLinkPage', () => {
     });
 
     describe('OTC flow edge cases', () => {
-        test('does not render form without otcRef even with lab flag', () => {
+        test('does not render form without otcRef', () => {
             const utils = setupTest({
-                labs: {membersSigninOTC: true},
+                labs: {},
                 otcRef: null
             });
 

apps/portal/src/data-attributes.js

@@ -16,7 +16,7 @@ function handleError(error, form, errorEl) {
 }
 
 export async function formSubmitHandler(
-    {event, form, errorEl, siteUrl, submitHandler, labs = {}, doAction, captureException}
+    {event, form, errorEl, siteUrl, submitHandler, doAction, captureException}
 ) {
     form.removeEventListener('submit', submitHandler);
     event.preventDefault();
@@ -47,7 +47,7 @@ export async function formSubmitHandler(
         emailType = form.dataset.membersForm;
     }
 
-    const wantsOTC = emailType === 'signin' && form?.dataset?.membersOtc === 'true' && labs?.membersSigninOTC;
+    const wantsOTC = emailType === 'signin' && form?.dataset?.membersOtc === 'true';
 
     form.classList.add('loading');
     const urlHistory = getUrlHistory();

apps/portal/src/index.js

@@ -25,9 +25,6 @@ function getSiteData() {
         const locale = scriptTag.dataset.locale; // not providing a fallback here but will do it within the app.
 
         const labs = {};
-        // NOTE: dataset converts always lowercase dash-attrs to camelCase
-        labs.membersSigninOTC = scriptTag.dataset.membersSigninOtc === 'true';
-        labs.membersSigninOTCAlpha = scriptTag.dataset.membersSigninOtcAlpha === 'true';
 
         return {siteUrl, apiKey, apiUrl, siteI18nEnabled, locale, labs};
     }

apps/portal/src/tests/SigninFlow.test.js

@@ -120,6 +120,16 @@ const multiTierSetup = async ({site, member = null}) => {
 
 const realLocation = window.location;
 
+// Helper function to verify OTC-enabled API calls
+const expectOTCEnabledSendMagicLinkAPICall = (ghostApi, email) => {
+    expect(ghostApi.member.sendMagicLink).toHaveBeenCalledWith({
+        email,
+        emailType: 'signin',
+        integrityToken: 'testtoken',
+        includeOTC: true
+    });
+};
+
 describe('Signin', () => {
     describe('on single tier site', () => {
         beforeEach(() => {
@@ -140,6 +150,11 @@ describe('Signin', () => {
                 site: FixtureSite.singleTier.basic
             });
 
+            // Mock sendMagicLink to return otc_ref for OTC flow
+            ghostApi.member.sendMagicLink = vi.fn(() => {
+                return Promise.resolve({success: true, otc_ref: 'test-otc-ref-123'});
+            });
+
             expect(popupFrame).toBeInTheDocument();
             expect(triggerButtonFrame).toBeInTheDocument();
             expect(emailInput).toBeInTheDocument();
@@ -152,41 +167,12 @@ describe('Signin', () => {
 
             fireEvent.click(submitButton);
 
-            const magicLink = await within(popupIframeDocument).findByText(/Now check your email/i);
-            expect(magicLink).toBeInTheDocument();
-
-            expect(ghostApi.member.sendMagicLink).toHaveBeenLastCalledWith({
-                email: 'jamie@example.com',
-                emailType: 'signin',
-                integrityToken: 'testtoken'
-            });
-        });
-
-        test('with OTC enabled', async () => {
-            const {ghostApi, emailInput, submitButton, popupIframeDocument} = await setup({
-                site: FixtureSite.singleTier.basic,
-                labs: {membersSigninOTC: true}
-            });
-
-            // Mock sendMagicLink to return otc_ref for OTC flow
-            ghostApi.member.sendMagicLink = vi.fn(() => {
-                return Promise.resolve({success: true, otc_ref: 'test-otc-ref-123'});
-            });
-
-            fireEvent.change(emailInput, {target: {value: 'jamie@example.com'}});
-            fireEvent.click(submitButton);
-
             const magicLink = await within(popupIframeDocument).findByText(/Now check your email/i);
             expect(magicLink).toBeInTheDocument();
             const description = await within(popupIframeDocument).findByText(/An email has been sent to jamie@example.com/i);
             expect(description).toBeInTheDocument();
 
-            expect(ghostApi.member.sendMagicLink).toHaveBeenLastCalledWith({
-                email: 'jamie@example.com',
-                emailType: 'signin',
-                integrityToken: 'testtoken',
-                includeOTC: true
-            });
+            expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         });
 
         test('without name field', async () => {
@@ -210,11 +196,7 @@ describe('Signin', () => {
             const magicLink = await within(popupIframeDocument).findByText(/Now check your email/i);
             expect(magicLink).toBeInTheDocument();
 
-            expect(ghostApi.member.sendMagicLink).toHaveBeenLastCalledWith({
-                email: 'jamie@example.com',
-                emailType: 'signin',
-                integrityToken: 'testtoken'
-            });
+            expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         });
 
         test('with only free plan', async () => {
@@ -238,11 +220,7 @@ describe('Signin', () => {
             const magicLink = await within(popupIframeDocument).findByText(/Now check your email/i);
             expect(magicLink).toBeInTheDocument();
 
-            expect(ghostApi.member.sendMagicLink).toHaveBeenLastCalledWith({
-                email: 'jamie@example.com',
-                emailType: 'signin',
-                integrityToken: 'testtoken'
-            });
+            expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         });
     });
 });
@@ -282,11 +260,7 @@ describe('Signin', () => {
             const magicLink = await within(popupIframeDocument).findByText(/Now check your email/i);
             expect(magicLink).toBeInTheDocument();
 
-            expect(ghostApi.member.sendMagicLink).toHaveBeenLastCalledWith({
-                email: 'jamie@example.com',
-                emailType: 'signin',
-                integrityToken: 'testtoken'
-            });
+            expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         });
 
         test('without name field', async () => {
@@ -310,11 +284,7 @@ describe('Signin', () => {
             const magicLink = await within(popupIframeDocument).findByText(/Now check your email/i);
             expect(magicLink).toBeInTheDocument();
 
-            expect(ghostApi.member.sendMagicLink).toHaveBeenLastCalledWith({
-                email: 'jamie@example.com',
-                emailType: 'signin',
-                integrityToken: 'testtoken'
-            });
+            expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         });
 
         test('with only free plan available', async () => {
@@ -338,11 +308,7 @@ describe('Signin', () => {
             const magicLink = await within(popupIframeDocument).findByText(/Now check your email/i);
             expect(magicLink).toBeInTheDocument();
 
-            expect(ghostApi.member.sendMagicLink).toHaveBeenLastCalledWith({
-                email: 'jamie@example.com',
-                emailType: 'signin',
-                integrityToken: 'testtoken'
-            });
+            expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         });
     });
 
@@ -447,7 +413,7 @@ describe('OTC Integration Flow', () => {
         });
 
         const utils = appRender(
-            <App api={ghostApi} labs={{membersSigninOTC: true}} />
+            <App api={ghostApi} labs={{}} />
         );
 
         await utils.findByTitle(/portal-trigger/i);
@@ -481,23 +447,14 @@ describe('OTC Integration Flow', () => {
         fireEvent.click(verifyButton);
     };
 
-    const expectOTCEnabledApiCall = (ghostApi, email) => {
-        expect(ghostApi.member.sendMagicLink).toHaveBeenCalledWith({
-            email,
-            emailType: 'signin',
-            integrityToken: 'testtoken',
-            includeOTC: true
-        });
-    };
-
     test('complete OTC flow from signin to verification', async () => {
         const {ghostApi, popupIframeDocument} = await setupOTCFlow({
             site: FixtureSite.singleTier.basic
         });
 
         await submitSigninForm(popupIframeDocument, 'jamie@example.com');
 
-        expectOTCEnabledApiCall(ghostApi, 'jamie@example.com');
+        expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         expect(ghostApi.member.sendMagicLink).toHaveBeenCalledTimes(1);
 
         submitOTCForm(popupIframeDocument, '123456');
@@ -524,7 +481,7 @@ describe('OTC Integration Flow', () => {
 
         await submitSigninForm(popupIframeDocument, 'jamie@example.com');
 
-        expectOTCEnabledApiCall(ghostApi, 'jamie@example.com');
+        expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
         expect(ghostApi.member.sendMagicLink).toHaveBeenCalledTimes(1);
 
         const otcInput = within(popupIframeDocument).queryByLabelText(OTC_LABEL_REGEX);
@@ -541,7 +498,7 @@ describe('OTC Integration Flow', () => {
 
         await submitSigninForm(popupIframeDocument, 'jamie@example.com');
 
-        expectOTCEnabledApiCall(ghostApi, 'jamie@example.com');
+        expectOTCEnabledSendMagicLinkAPICall(ghostApi, 'jamie@example.com');
 
         const otcInput = within(popupIframeDocument).getByLabelText(OTC_LABEL_REGEX);
 

apps/portal/src/tests/data-attributes.test.js

@@ -170,7 +170,7 @@ describe('Member Data attributes:', () => {
             expect(window.fetch).toHaveBeenLastCalledWith('https://portal.localhost/members/api/send-magic-link/', {body: expectedBody, headers: {'Content-Type': 'application/json'}, method: 'POST'});
         });
 
-        test('requests OTC magic link and opens Portal when flagged', async () => {
+        test('requests OTC magic link and opens Portal when flagged with data-members-otc=true', async () => {
             const {event, form, errorEl, siteUrl, submitHandler} = getMockData();
             form.dataset.membersForm = 'signin';
             form.dataset.membersOtc = 'true';
@@ -183,7 +183,7 @@ describe('Member Data attributes:', () => {
                 return originalQuerySelector(selector);
             });
 
-            const labs = {membersSigninOTC: true};
+            const labs = {};
             const doAction = vi.fn(() => Promise.resolve());
 
             const json = async () => ({otc_ref: 'otc_test_ref'});
@@ -231,7 +231,7 @@ describe('Member Data attributes:', () => {
                 return originalQuerySelector(selector);
             });
 
-            const labs = {membersSigninOTC: true};
+            const labs = {};
             const actionErrorMessage = new Error('failed to start OTC sign-in');
             const doAction = vi.fn(() => {
                 throw actionErrorMessage;

ghost/admin/app/services/feature.js

@@ -70,8 +70,6 @@ export default class FeatureService extends Service {
     @feature('editorExcerpt') editorExcerpt;
     @feature('contentVisibility') contentVisibility;
     @feature('contentVisibilityAlpha') contentVisibilityAlpha;
-    @feature('membersSigninOTC') membersSigninOTC;
-    @feature('membersSigninOTCAlpha') membersSigninOTCAlpha;
     @feature('tagsX') tagsX;
     @feature('utmTracking') utmTracking;
 

ghost/core/core/frontend/helpers/ghost_head.js

@@ -63,9 +63,7 @@ function getMembersHelper(data, frontendKey, excludeList) {
             ghost: urlUtils.getSiteUrl(),
             key: frontendKey,
             api: urlUtils.urlFor('api', {type: 'content'}, true),
-            locale: settingsCache.get('locale') || 'en',
-            'members-signin-otc': labs.isSet('membersSigninOTC'), // html.dataset converts dash-attrs to camelCase
-            'members-signin-otc-alpha': labs.isSet('membersSigninOTCAlpha') // html.dataset converts dash-attrs to camelCase
+            locale: settingsCache.get('locale') || 'en'
         };
         if (colorString) {
             attributes['accent-color'] = colorString;