The login status check mapped a locked account to ErrAccountDisabled, surfacing the disabled-account error code and message even though a dedicated ErrAccountLocked exists (and the OIDC flow already uses it). Map the locked status to ErrAccountLocked so credential login is consistent with OIDC across both /api/v1 and /api/v2. Disabled accounts still return ErrAccountDisabled. This changes the v1 login error code for locked accounts on the wire (1020 -> 1026); the change is intentional and approved. |
||
|---|---|---|
| .. | ||
| admin_user.go | ||
| auth.go | ||
| auth_provider.go | ||
| info.go | ||
| testing.go | ||