From 11d80500857a5001dc5903eca8bf64b3b91a3446 Mon Sep 17 00:00:00 2001
From: "Simon L." <szaimen@e.mail.de>
Date: Sun, 26 Apr 2026 18:25:39 +0200
Subject: [PATCH] Revert "refactor: move deSEC password-reveal logic from JS to
 Twig (PRG pattern)"

This reverts commit 1c6ca098d529c3bd800342f5f07264f13f747797.
---
 php/public/forms.js                          | 12 +++++++++--
 php/public/index.php                         |  4 ----
 php/src/Controller/DesecController.php       | 21 ++++++--------------
 php/src/Desec/AlreadyRegisteredException.php | 20 -------------------
 php/src/Desec/DesecManager.php               |  5 ++++-
 php/templates/includes/desec-register.twig   | 13 +++++-------
 6 files changed, 25 insertions(+), 50 deletions(-)
 delete mode 100644 php/src/Desec/AlreadyRegisteredException.php

diff --git a/php/public/forms.js b/php/public/forms.js
index b37fdcdb..ec326b8c 100644
--- a/php/public/forms.js
+++ b/php/public/forms.js
@@ -16,13 +16,21 @@
     setTimeout(toast.remove.bind(toast), 10000)
   }
 
-  function handleEvent(e) {
+  function handleEvent(e, form) {
     const xhr = e.target;
     if (xhr.status === 201) {
       window.location.replace(xhr.getResponseHeader('Location'));
     } else if (xhr.status === 422) {
       disableSpinner()
       showError(xhr.response);
+      if (form) {
+        const revealSelector = form.dataset.revealOnError;
+        const revealWhen = form.dataset.revealWhen;
+        if (revealSelector && (!revealWhen || xhr.response.includes(revealWhen))) {
+          const target = document.querySelector(revealSelector);
+          if (target) target.style.display = '';
+        }
+      }
     } else if (xhr.status === 500) {
       showError("Server error. Please check the mastercontainer logs for details. This page will reload after 10s automatically. Then you can check the mastercontainer logs.");
       // Reload after 10s since it is expected that the updated view is shown (e.g. after starting containers)
@@ -50,7 +58,7 @@
         lastError.remove()
       }
       let xhr = new XMLHttpRequest();
-      xhr.addEventListener('load', handleEvent);
+      xhr.addEventListener('load', function(e) { handleEvent(e, form); });
       xhr.addEventListener('error', () => showError("Failed to talk to server."));
       xhr.addEventListener('error', () => disableSpinner());
       xhr.open(form.method, form.getAttribute("action"));
diff --git a/php/public/index.php b/php/public/index.php
index 00e4c2a3..9d34eabd 100644
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -185,11 +185,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'desec_password' => $configurationManager->desecPassword,
         'is_desec_domain' => $configurationManager->isDesecDomain(),
         'desec_account_registered' => $configurationManager->isDesecAccountRegistered(),
-        'desec_show_password' => (bool)($_SESSION['desec_show_password'] ?? false),
-        'desec_prefill_email' => (string)($_SESSION['desec_prefill_email'] ?? ''),
-        'desec_error' => (string)($_SESSION['desec_error'] ?? ''),
     ]);
-    unset($_SESSION['desec_show_password'], $_SESSION['desec_prefill_email'], $_SESSION['desec_error']);
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {
     $view = Twig::fromRequest($request);
diff --git a/php/src/Controller/DesecController.php b/php/src/Controller/DesecController.php
index 82eb90b5..42f5c96d 100644
--- a/php/src/Controller/DesecController.php
+++ b/php/src/Controller/DesecController.php
@@ -3,7 +3,6 @@ declare(strict_types=1);
 
 namespace AIO\Controller;
 
-use AIO\Desec\AlreadyRegisteredException;
 use AIO\Desec\DesecManager;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
@@ -15,23 +14,15 @@ readonly class DesecController {
     }
 
     public function Register(Request $request, Response $response, array $args): Response {
-        $email    = (string)($request->getParsedBody()['desec_email']    ?? '');
-        $slug     = (string)($request->getParsedBody()['desec_slug']     ?? '');
-        $password = (string)($request->getParsedBody()['desec_password'] ?? '');
-
         try {
+            $email    = (string)($request->getParsedBody()['desec_email']    ?? '');
+            $slug     = (string)($request->getParsedBody()['desec_slug']     ?? '');
+            $password = (string)($request->getParsedBody()['desec_password'] ?? '');
             $this->desecManager->register($email, $slug, $password);
-        } catch (AlreadyRegisteredException $ex) {
-            $_SESSION['desec_show_password'] = true;
-            $_SESSION['desec_prefill_email'] = $ex->email;
-            $_SESSION['desec_error']         = $ex->getMessage();
+            return $response->withStatus(201)->withHeader('Location', '.');
         } catch (\Exception $ex) {
-            $_SESSION['desec_error'] = $ex->getMessage();
+            $response->getBody()->write($ex->getMessage());
+            return $response->withStatus(422);
         }
-
-        // Post/Redirect/Get: always redirect back to the containers page.
-        // The browser follows the Location header and issues a fresh GET,
-        // which prevents form-resubmission on reload.
-        return $response->withStatus(303)->withHeader('Location', '../../containers');
     }
 }
diff --git a/php/src/Desec/AlreadyRegisteredException.php b/php/src/Desec/AlreadyRegisteredException.php
deleted file mode 100644
index aaa9a8b4..00000000
--- a/php/src/Desec/AlreadyRegisteredException.php
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-declare(strict_types=1);
-
-namespace AIO\Desec;
-
-/**
- * Thrown when a deSEC account registration attempt fails because the email address
- * is already associated with an existing account.  The controller catches this to
- * redirect the user back to the registration form with the password field revealed.
- */
-class AlreadyRegisteredException extends \Exception {
-    public function __construct(
-        public readonly string $email,
-    ) {
-        parent::__construct(
-            'This email address is already registered at deSEC. '
-            . 'If this is your account, please enter your deSEC password in the password field and try again.',
-        );
-    }
-}
diff --git a/php/src/Desec/DesecManager.php b/php/src/Desec/DesecManager.php
index 9ac45d41..13f7a08b 100644
--- a/php/src/Desec/DesecManager.php
+++ b/php/src/Desec/DesecManager.php
@@ -122,7 +122,10 @@ class DesecManager {
         if ($code === 400) {
             $data = json_decode($body, true, 512, JSON_THROW_ON_ERROR);
             if (is_array($data) && isset($data['email'])) {
-                throw new AlreadyRegisteredException($email);
+                throw new \Exception(
+                    'This email address is already registered at deSEC. '
+                    . 'If this is your account, please enter your deSEC password in the password field and try again.',
+                );
             }
             throw new \Exception('Registration at deSEC failed (HTTP 400): ' . $body);
         }
diff --git a/php/templates/includes/desec-register.twig b/php/templates/includes/desec-register.twig
index e4674dae..4e4d6a08 100644
--- a/php/templates/includes/desec-register.twig
+++ b/php/templates/includes/desec-register.twig
@@ -4,7 +4,7 @@
     {% if desec_account_registered %}
         <p>Your deSEC account (<strong>{{ desec_email }}</strong>) was registered successfully but the domain could not be registered. Please enter a desired subdomain slug (the part before <code>.dedyn.io</code>) and try again, or leave it blank for a random one.</p>
         <p>Your deSEC login credentials (for <a target="_blank" href="https://desec.io">desec.io</a>): Email: <strong>{{ desec_email }}</strong>. <details style="display:inline"><summary>Reveal deSEC password</summary><strong>{{ desec_password }}</strong></details>. Please save these in a safe place.</p>
-        <form method="POST" action="api/desec/register">
+        <form method="POST" action="api/desec/register" class="xhr">
             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
             <input type="text" name="desec_slug" placeholder="my-nextcloud (optional)" pattern="[a-z0-9]([a-z0-9\-]{0,61}[a-z0-9])?" title="Only lowercase letters, digits and hyphens (1–63 characters). No leading or trailing hyphen." />
@@ -12,17 +12,14 @@
         </form>
     {% else %}
         <p>Please enter your email address. You can also enter a desired subdomain slug (the part before <code>.dedyn.io</code>); leave it blank for a random one.</p>
-        {% if desec_error %}
-            <p style="color: var(--color-error-text)">{{ desec_error }}</p>
-        {% endif %}
-        <form method="POST" action="api/desec/register">
+        <form method="POST" action="api/desec/register" class="xhr" data-reveal-on-error="#desec-password-field" data-reveal-when="already registered at deSEC">
             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-            <input type="email" name="desec_email" placeholder="your@email.com" required {% if desec_prefill_email %}value="{{ desec_prefill_email }}"{% endif %} />
-            {% if desec_show_password %}
+            <input type="email" name="desec_email" placeholder="your@email.com" required />
+            <div id="desec-password-field" style="display:none">
                 <p>This email address is already registered at deSEC. Enter your deSEC password below to log in with it instead of creating a new account.</p>
                 <input type="password" name="desec_password" placeholder="deSEC password" autocomplete="current-password" />
-            {% endif %}
+            </div>
             <input type="text" name="desec_slug" placeholder="my-nextcloud (optional)" pattern="[a-z0-9]([a-z0-9\-]{0,61}[a-z0-9])?" title="Only lowercase letters, digits and hyphens (1–63 characters). No leading or trailing hyphen." />
             <input type="submit" value="Register free domain via deSEC" />
         </form>