owain/MileVault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix passkey-disabled message obscured by null hash check
Build and push images / validate (push) Successful in 2s
Details
Build and push images / build-backend (push) Successful in 7s
Details
Build and push images / build-worker (push) Successful in 5s
Details
Build and push images / build-frontend (push) Successful in 5s
Details

Browse Source 
Check pocketid_sub before hashed_password so users with a linked
passkey (and hence a null hash) get the helpful message rather than
"Invalid credentials".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Owain Jarrett
2026-06-09 21:38:12 +01:00
parent 01a8fe135c
commit 057eb9391a
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/auth.py
+2 -2
View File
@@ -140,14 +140,14 @@ async def login(
):
result = await db.execute(select(User).where(User.username == form_data.username))
user = result.scalar_one_or_none()
if not user or not user.hashed_password:
if not user:
raise HTTPException(status_code=400, detail="Invalid credentials")
if user.pocketid_sub is not None:
raise HTTPException(
status_code=400,
detail="Password login is disabled for this account — use your passkey to sign in.",
)
if not verify_password(form_data.password, user.hashed_password):
if not user.hashed_password or not verify_password(form_data.password, user.hashed_password):
raise HTTPException(status_code=400, detail="Invalid credentials")
token = create_access_token({"sub": str(user.id)})
return Token(access_token=token, token_type="bearer",