Skip to content

Handle passwordless identities during sign-in#1416

Open
AITechTim wants to merge 1 commit into
getprobo:mainfrom
Cancilico:cancilico/password-not-set-login-fix-upstream
Open

Handle passwordless identities during sign-in#1416
AITechTim wants to merge 1 commit into
getprobo:mainfrom
Cancilico:cancilico/password-not-set-login-fix-upstream

Conversation

@AITechTim

@AITechTim AITechTim commented Jun 25, 2026

Copy link
Copy Markdown

Summary

  • Detect identities without a stored password hash before password verification so password sign-in no longer reaches an internal hash error.
  • Return the same public INVALID_CREDENTIALS GraphQL error for passwordless identities as for unknown users or wrong passwords, avoiding account-state enumeration.
  • Show generic invalid-credentials recovery guidance in the console, with a forgot-password link that keeps the attempted email prefilled.

Why

Invited accounts can exist without a local password hash, especially when they were created through invite or SSO-first flows. Password login for those accounts previously reached password verification with a nil hash and surfaced as an internal server error. This keeps the internal error typed while ensuring unauthenticated sign-in responses remain indistinguishable.

Validation

  • npm ci
  • PATH=/usr/local/go/bin:$PATH make @probo/emails
  • PATH=/usr/local/go/bin:$PATH make relay
  • PATH=/usr/local/go/bin:$PATH make generate
  • /usr/local/go/bin/go test ./pkg/iam ./pkg/server/gqlutils ./pkg/server/api/connect/v1
  • npm --workspace @probo/console run check
  • ../../node_modules/.bin/eslint --no-warn-ignored src/pages/iam/auth/sign-in/PasswordSignInPage.tsx src/pages/iam/auth/ForgotPasswordPage.tsx
  • git diff --check

Notes

The commit includes the required DCO Signed-off-by trailer and is GPG-signed with a GitHub-verified key. The account-state enumeration review thread is addressed by commit a6a7bdb.

@AITechTim AITechTim force-pushed the cancilico/password-not-set-login-fix-upstream branch from 17194c9 to a1515c2 Compare June 25, 2026 23:34
@AITechTim AITechTim changed the title [codex] Handle passwordless identities during sign-in Handle passwordless identities during sign-in Jun 25, 2026
@AITechTim AITechTim marked this pull request as ready for review June 25, 2026 23:43

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 6 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread pkg/server/api/connect/v1/session_resolvers.go Outdated
(cherry picked from commit c46402b)
Signed-off-by: AITechTim <schmittmann@cancilico.com>
@AITechTim AITechTim force-pushed the cancilico/password-not-set-login-fix-upstream branch from a1515c2 to a6a7bdb Compare June 25, 2026 23:59
@lukkor

lukkor commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Hello @AITechTim, we are looking into your PR internally and will come back to you soon, thanks for your contribution 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants