Fix passkey-disabled message obscured by null hash check
Check pocketid_sub before hashed_password so users with a linked passkey (and hence a null hash) get the helpful message rather than "Invalid credentials". Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -140,14 +140,14 @@ async def login(
|
|||||||
):
|
):
|
||||||
result = await db.execute(select(User).where(User.username == form_data.username))
|
result = await db.execute(select(User).where(User.username == form_data.username))
|
||||||
user = result.scalar_one_or_none()
|
user = result.scalar_one_or_none()
|
||||||
if not user or not user.hashed_password:
|
if not user:
|
||||||
raise HTTPException(status_code=400, detail="Invalid credentials")
|
raise HTTPException(status_code=400, detail="Invalid credentials")
|
||||||
if user.pocketid_sub is not None:
|
if user.pocketid_sub is not None:
|
||||||
raise HTTPException(
|
raise HTTPException(
|
||||||
status_code=400,
|
status_code=400,
|
||||||
detail="Password login is disabled for this account — use your passkey to sign in.",
|
detail="Password login is disabled for this account — use your passkey to sign in.",
|
||||||
)
|
)
|
||||||
if not verify_password(form_data.password, user.hashed_password):
|
if not user.hashed_password or not verify_password(form_data.password, user.hashed_password):
|
||||||
raise HTTPException(status_code=400, detail="Invalid credentials")
|
raise HTTPException(status_code=400, detail="Invalid credentials")
|
||||||
token = create_access_token({"sub": str(user.id)})
|
token = create_access_token({"sub": str(user.id)})
|
||||||
return Token(access_token=token, token_type="bearer",
|
return Token(access_token=token, token_type="bearer",
|
||||||
|
|||||||
Reference in New Issue
Block a user