hardening

backend/app/db.py

@@ -331,6 +331,8 @@ def verify_user_password(username: str, password: str) -> Optional[Dict[str, Any
     user = get_user_by_username(username)
     if not user:
         return None
+    if user.get("auth_provider") != "local":
+        return None
     if not verify_password(password, user["password_hash"]):
         return None
     return user