From 8d3ac47605cb7c3c50d0e335c71e2c0e7e542cb0 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 5 Apr 2026 19:55:17 +0200 Subject: [PATCH] feat(auth): reject password login for bot users --- pkg/routes/api/v1/login.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkg/routes/api/v1/login.go b/pkg/routes/api/v1/login.go index e13074bb2..eb92945d1 100644 --- a/pkg/routes/api/v1/login.go +++ b/pkg/routes/api/v1/login.go @@ -62,6 +62,15 @@ func Login(c *echo.Context) (err error) { } if user == nil { + // Check if the user is a bot before attempting password verification, + // because bots have no password hash and bcrypt would fail with a + // misleading error. + existingUser, lookupErr := user2.GetUserByUsername(s, u.Username) + if lookupErr == nil && existingUser.IsBot() { + _ = s.Rollback() + return &user2.ErrAccountIsBot{UserID: existingUser.ID} + } + // This allows us to still have local users while ldap is enabled user, err = user2.CheckUserCredentials(s, &u) if err != nil {