feat(auth): reject password login for bot users

This commit is contained in:
kolaente 2026-04-05 19:55:17 +02:00 committed by kolaente
parent 1637ecd0c7
commit 8d3ac47605
1 changed files with 9 additions and 0 deletions

View File

@ -62,6 +62,15 @@ func Login(c *echo.Context) (err error) {
}
if user == nil {
// Check if the user is a bot before attempting password verification,
// because bots have no password hash and bcrypt would fail with a
// misleading error.
existingUser, lookupErr := user2.GetUserByUsername(s, u.Username)
if lookupErr == nil && existingUser.IsBot() {
_ = s.Rollback()
return &user2.ErrAccountIsBot{UserID: existingUser.ID}
}
// This allows us to still have local users while ldap is enabled
user, err = user2.CheckUserCredentials(s, &u)
if err != nil {