From 057eb9391a79fa22f51100c3f8c22f5939f53be7 Mon Sep 17 00:00:00 2001
From: owain <owain@jarrett.eu>
Date: Tue, 9 Jun 2026 21:38:12 +0100
Subject: [PATCH] Fix passkey-disabled message obscured by null hash check

Check pocketid_sub before hashed_password so users with a linked
passkey (and hence a null hash) get the helpful message rather than
"Invalid credentials".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 backend/app/api/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/app/api/auth.py b/backend/app/api/auth.py
index 13b070f..fe726ef 100644
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -140,14 +140,14 @@ async def login(
 ):
     result = await db.execute(select(User).where(User.username == form_data.username))
     user = result.scalar_one_or_none()
-    if not user or not user.hashed_password:
+    if not user:
         raise HTTPException(status_code=400, detail="Invalid credentials")
     if user.pocketid_sub is not None:
         raise HTTPException(
             status_code=400,
             detail="Password login is disabled for this account — use your passkey to sign in.",
         )
-    if not verify_password(form_data.password, user.hashed_password):
+    if not user.hashed_password or not verify_password(form_data.password, user.hashed_password):
         raise HTTPException(status_code=400, detail="Invalid credentials")
     token = create_access_token({"sub": str(user.id)})
     return Token(access_token=token, token_type="bearer",