From 17e14009e2503daa08b5e22b3b089971749eacdf Mon Sep 17 00:00:00 2001
From: Dave <3836813+enmande@users.noreply.github.com>
Date: Mon, 3 Nov 2025 11:04:44 -0500
Subject: [PATCH] fix(recover-two-factor-component) [PM-21153]: Update error
 handling for SSO-required 2FA recovery scenarios. (#17016)

---
 .../app/auth/recover-two-factor.component.ts  | 35 +++++++++++++++----
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/apps/web/src/app/auth/recover-two-factor.component.ts b/apps/web/src/app/auth/recover-two-factor.component.ts
index dc85668c8ec..9c033b88a75 100644
--- a/apps/web/src/app/auth/recover-two-factor.component.ts
+++ b/apps/web/src/app/auth/recover-two-factor.component.ts
@@ -113,14 +113,37 @@ export class RecoverTwoFactorComponent implements OnInit {
       await this.router.navigate(["/settings/security/two-factor"]);
     } catch (error: unknown) {
       if (error instanceof ErrorResponse) {
-        this.logService.error("Error logging in automatically: ", error.message);
-
-        if (error.message.includes("Two-step token is invalid")) {
-          this.formGroup.get("recoveryCode")?.setErrors({
-            invalidRecoveryCode: { message: this.i18nService.t("invalidRecoveryCode") },
+        if (
+          error.message.includes(
+            "Two-factor recovery has been performed. SSO authentication is required.",
+          )
+        ) {
+          // [PM-21153]: Organization users with as SSO requirement need to be able to recover 2FA,
+          //  but still be bound by the SSO requirement to log in. Therefore, we show a success toast for recovering 2FA,
+          //  but then inform them that they need to log in via SSO and redirect them to the login page.
+          // The response tested here is a specific message for this scenario from request validation.
+          this.toastService.showToast({
+            variant: "success",
+            title: "",
+            message: this.i18nService.t("twoStepRecoverDisabled"),
           });
+          this.toastService.showToast({
+            variant: "error",
+            title: "",
+            message: this.i18nService.t("ssoLoginIsRequired"),
+          });
+
+          await this.router.navigate(["/login"]);
         } else {
-          this.validationService.showError(error.message);
+          this.logService.error("Error logging in automatically: ", error.message);
+
+          if (error.message.includes("Two-step token is invalid")) {
+            this.formGroup.get("recoveryCode")?.setErrors({
+              invalidRecoveryCode: { message: this.i18nService.t("invalidRecoveryCode") },
+            });
+          } else {
+            this.validationService.showError(error.message);
+          }
         }
       } else {
         this.logService.error("Error logging in automatically: ", error);