craftcms · i-just · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026
diff --git a/src/services/Auth.php b/src/services/Auth.php
@@ -240,7 +240,13 @@ public function getAuthErrorMessage(?string $defaultMessage = null): string
         if ($user) {
             $authError = UserHelper::getAuthStatus($user);
         }
-        if ($authError == User::AUTH_INVALID_CREDENTIALS || !$authError) {
+        if (
+            $authError == User::AUTH_INVALID_CREDENTIALS ||
+            !$authError ||
+            // if preventUserEnumeration is true and the account is locked, still show the same message
+            (Craft::$app->getConfig()->getGeneral()->preventUserEnumeration &&
+            in_array($authError, [User::AUTH_ACCOUNT_LOCKED, User::AUTH_ACCOUNT_COOLDOWN]))
+        ) {
             if ($defaultMessage) {
                 return $defaultMessage;
             }

diff --git a/src/web/assets/authmethodsetup/dist/auth.js b/src/web/assets/authmethodsetup/dist/auth.js
diff --git a/src/web/assets/authmethodsetup/dist/auth.js.map b/src/web/assets/authmethodsetup/dist/auth.js.map
diff --git a/src/web/assets/authmethodsetup/src/AuthMethodSetup.js b/src/web/assets/authmethodsetup/src/AuthMethodSetup.js
@@ -90,9 +90,7 @@ Craft.AuthMethodSetup = Garnish.Base.extend(
         },
         () => {
           button.classList.remove('loading');
-        },
-        // give them 5 minutes to complete setup
-        Math.min(Craft.elevatedSessionDuration, 300)
+        }
       );
     },
-Original file line number
+Diff line change
@@ Expand Up / @@ -90,9 +90,7 @@ Craft.AuthMethodSetup = Garnish.Base.extend( @@
             },
             () => {
               button.classList.remove('loading');
-            },
-            // give them 5 minutes to complete setup
-            Math.min(Craft.elevatedSessionDuration, 300)
+            }
           );
         },
@@ Expand Down @@