diff --git a/pkg/routes/api/v1/login.go b/pkg/routes/api/v1/login.go index e13074bb2..eb92945d1 100644 --- a/pkg/routes/api/v1/login.go +++ b/pkg/routes/api/v1/login.go @@ -62,6 +62,15 @@ func Login(c *echo.Context) (err error) { } if user == nil { + // Check if the user is a bot before attempting password verification, + // because bots have no password hash and bcrypt would fail with a + // misleading error. + existingUser, lookupErr := user2.GetUserByUsername(s, u.Username) + if lookupErr == nil && existingUser.IsBot() { + _ = s.Rollback() + return &user2.ErrAccountIsBot{UserID: existingUser.ID} + } + // This allows us to still have local users while ldap is enabled user, err = user2.CheckUserCredentials(s, &u) if err != nil {