Change failure of MFA from redirect to error message

[dqwiki]

When putting in a MFA code, if it fails, it kicks you back to login in again, instead of asking you to try again.

[methecooldude]

I believe this is because

waca/includes/Pages/UserAuth/Login/LoginCredentialPageBase.php

Line 85 in cf679d0

throw new ApplicationLogicException("Authentication failed");

just throws an exception which then gets caught with a redirect to login at L104. Not sure if there is a way of changing the action based on it being MFA

[stwalkerster]

Does it matter if we only allow a retry of an MFA? I'm fairly sure we can permit a retry of a password too?

I have no idea if this would work, but perhaps we could change:

waca/includes/Pages/UserAuth/Login/LoginCredentialPageBase.php

Lines 101 to 104 in cf679d0

	WebRequest::clearAuthPartialLogin();
	SessionAlert::error($ex->getMessage());
	$this->redirect('login');

• remove L101 so we don't reset the session on auth failure
• change the redirect on L104 to redirect to the current page (convert POST to GET; can't remember if a plain ->redirect() goes to the current page or to the home page)

If we take this approach, I'd quite like to have a "cancel auth" or "logout" button if the auth is beyond the first stage to keep current functionality