sec(auth): collapse 'MFA not configured' into generic auth failure (closes #391)

[cristim]

Summary

• Collapses the "MFA is enabled but not configured" error into the same generic "Check your email address and password and try again" response used for wrong passwords, so a credential-stuffing attacker cannot distinguish "password correct, MFA data broken" from "wrong password"
• Adds an internal logging.Errorf (user ID only, no email/PII) so operators can detect the data-integrity anomaly without relying on the API response
• Removes the now-dead substring match from mapMFAServiceError in handler_auth.go
• Extends TestLogin_WithMFA_NoSecret with a sub-test that asserts both paths return the identical generic error body

Test plan

• go test github.com/LeanerCloud/CUDly/internal/auth/... -run TestLogin_WithMFA_NoSecret -- all 3 sub-tests pass
• go build ./... clean
• Verify wrong-password and right-password-no-MFA-secret return the same HTTP 401 body via curl / integration test

Closes #391

[coderabbitai]

Warning

Review limit reached

@cristim, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 3 minutes and 31 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec8dae36-e30e-4376-8174-3e36be390bd5

📥 Commits

Reviewing files that changed from the base of the PR and between eb85a50 and 2dc84e2.

📒 Files selected for processing (3)

• internal/api/handler_auth.go
• internal/auth/service.go
• internal/auth/service_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/391-wave10

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[cristim]

Rebased on feat/multicloud-web-frontend. Resolved a conflict in internal/auth/service_test.go:

• The base since-merged the group-permission model (Revamp authorization: group-membership-only (remove roles), require >=1 group per user #907/feat(auth): group-membership-only authorization, remove roles, require >=1 group (closes #907) #912/feat(auth): /api/auth/me/permissions endpoint + wire frontend canAccess (lift non-admin UI lockout) #917), which removed the User.Role field. The PR's TestLogin_WithMFA_NoSecret setup had carried a now-removed Role: RoleUser literal; dropped it. The security assertions (both the correct-password-no-secret and wrong-password paths must return the identical generic message) are kept intact.
• internal/auth/service.go and internal/api/handler_auth.go auto-merged cleanly: the leak removal (log internally, return generic message) and the dead "MFA is enabled but not configured" substring drop from mapMFAServiceError both sit alongside the sibling auth PRs' additions (sec(auth): stop leaking MFA enrollment via login error responses (closes #388) #886/sec(auth): unify login error response for unknown vs wrong-password (closes #416) #887/refactor(auth/mfa): use sentinel errors in mapMFAServiceError #883), with both protections preserved.

Verified post-rebase: gofmt clean, go vet clean, go build ok, and go test ./internal/auth/... ./internal/api/... -> 1909 passed.

@coderabbitai review

[coderabbitai]

@cristim Thanks for the detailed rebase notes — the Role: RoleUser drop aligns cleanly with the group-permission model merge, and the security invariant (identical generic response for both failure paths) looks preserved. Triggering an incremental review on the rebased branch now.

---

🧠 Learnings used

Learnt from: cristim
Repo: LeanerCloud/CUDly PR: 0
File: :0-0
Timestamp: 2026-05-05T15:44:54.463Z
Learning: In the LeanerCloud/CUDly repository, when a CodeRabbit review flags something as "outside-diff" that was already implemented in an earlier commit of the same PR, it is likely a stale-snapshot artifact where the review diff was generated against a pre-fix view. The inline comment convention `(CR pass on PR #<number> Finding N)` is used by the maintainer (cristim) to mark lines that were changed in direct response to a prior CodeRabbit review pass.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.