Multi phase login is the practice where you first ask for the login
(email) and not the password, and after you know the related account,
you show the options available for login to that account.
Multi phase login allows social login and OIDC login to be part of the
normal login flow. Once we know the related account, we can show the
authentication options for the account, and not include options that
are not available. If the account does not have a password and is only
connected to one social login provider, then the password field does
not display, and the only button is the button login to the social
login provider.
For accounts that only allow password authentication, multi phase login
results in an extra step during login. However, I think it's better to
support non-password authentication as part of the normal login flow.
A minor improvement I made during this process is if the user enters
their login, but cannot remember their password, if they click the
"Forgot your password?" link, their email address is already filled in.
Ideally, the login field would be have the readonly attribute during
the second login phase. However, I found that this negatively affects
password managers such as 1password. So I didn't mark the field as
readonly. I left the handling of the readonly attribute as boolean,
in case we want to use readonly attributes elsewhere.
This required relatively few spec changes outside of the auth tests,
since almost all tests that test for logged in accounts use the login
helper method.
7acbf5cd5a