Process 1 build 0203261953

backend/app/auth.py

@@ -4,8 +4,8 @@ from typing import Dict, Any, Optional
 from fastapi import Depends, HTTPException, status, Request
 from fastapi.security import OAuth2PasswordBearer
 
-from .db import get_user_by_username, upsert_user_activity
-from .security import safe_decode_token, TokenError
+from .db import get_user_by_username, set_user_auth_provider, upsert_user_activity
+from .security import safe_decode_token, TokenError, verify_password
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
 
@@ -38,6 +38,42 @@ def _extract_client_ip(request: Request) -> str:
     return "unknown"
 
 
+def resolve_user_auth_provider(user: Optional[Dict[str, Any]]) -> str:
+    if not isinstance(user, dict):
+        return "local"
+    provider = str(user.get("auth_provider") or "local").strip().lower() or "local"
+    if provider != "local":
+        return provider
+    password_hash = user.get("password_hash")
+    if isinstance(password_hash, str) and password_hash:
+        if verify_password("jellyfin-user", password_hash):
+            return "jellyfin"
+        if verify_password("jellyseerr-user", password_hash):
+            return "jellyseerr"
+    return provider
+
+
+def normalize_user_auth_provider(user: Optional[Dict[str, Any]]) -> Dict[str, Any]:
+    if not isinstance(user, dict):
+        return {}
+    resolved_provider = resolve_user_auth_provider(user)
+    stored_provider = str(user.get("auth_provider") or "local").strip().lower() or "local"
+    if resolved_provider != stored_provider:
+        username = str(user.get("username") or "").strip()
+        if username:
+            set_user_auth_provider(username, resolved_provider)
+            refreshed_user = get_user_by_username(username)
+            if refreshed_user:
+                user = refreshed_user
+    normalized = dict(user)
+    normalized["auth_provider"] = resolved_provider
+    normalized["password_change_supported"] = resolved_provider in {"local", "jellyfin"}
+    normalized["password_provider"] = (
+        resolved_provider if resolved_provider in {"local", "jellyfin"} else None
+    )
+    return normalized
+
+
 def _load_current_user_from_token(
     token: str,
     request: Optional[Request] = None,
@@ -63,6 +99,8 @@ def _load_current_user_from_token(
     if _is_expired(user.get("expires_at")):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User access has expired")
 
+    user = normalize_user_auth_provider(user)
+
     if request is not None:
         ip = _extract_client_ip(request)
         user_agent = request.headers.get("user-agent", "unknown")
@@ -78,6 +116,8 @@ def _load_current_user_from_token(
         "profile_id": user.get("profile_id"),
         "expires_at": user.get("expires_at"),
         "is_expired": bool(user.get("is_expired", False)),
+        "password_change_supported": bool(user.get("password_change_supported", False)),
+        "password_provider": user.get("password_provider"),
     }