Build 2602262049: split magent settings and harden local login

2026-02-26 20:50:38 +13:00
parent 0b73d9f4ee
commit 1c6b8255c1
7 changed files with 142 additions and 27 deletions
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -15,6 +15,7 @@ from ..db import (
    create_user_if_missing,
    set_last_login,
    get_user_by_username,
+    get_users_by_username_ci,
    set_user_password,
    set_jellyfin_auth_cache,
    set_user_jellyseerr_id,
@@ -447,6 +448,19 @@ def _master_invite_controlled_values(master_invite: dict) -> tuple[int | None, s
@router.post("/login")
 async def login(request: Request, form_data: OAuth2PasswordRequestForm = Depends()) -> dict:
    _enforce_login_rate_limit(request, form_data.username)
+    # Provider placeholder passwords must never be accepted by the local-login endpoint.
+    if form_data.password in {"jellyfin-user", "jellyseerr-user"}:
+        _record_login_failure(request, form_data.username)
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
+    matching_users = get_users_by_username_ci(form_data.username)
+    has_external_match = any(
+        str(user.get("auth_provider") or "local").lower() != "local" for user in matching_users
+    )
+    if has_external_match:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="This account uses external sign-in. Use the external sign-in option.",
+        )
    user = verify_user_password(form_data.username, form_data.password)
    if not user:
        _record_login_failure(request, form_data.username)