Better error message for invalid recovery codes

endpoints/web.py

@@ -392,8 +392,7 @@ def confirm_email():
 
   common_login(user)
 
-  return redirect(url_for('web.user', tab='email')
-                  if new_email else url_for('web.index'))
+  return redirect(url_for('web.user', tab='email') if new_email else url_for('web.index'))
 
 
 @web.route('/recovery', methods=['GET'])
@@ -403,11 +402,12 @@ def confirm_recovery():
   code = request.values['code']
   user = model.user.validate_reset_code(code)
 
-  if user:
+  if user is not None:
     common_login(user)
     return redirect(url_for('web.user'))
   else:
-    abort(403)
+    message = 'Invalid recovery code: This code is invalid or may have already been used.'
+    return render_page_template_with_routedata('message.html', message=message)
 
 
 @web.route('/repository/<repopath:repository>/status', methods=['GET'])