debug: add detailed logging to login authentication flow

- Log when local auth succeeds/fails
- Log when password mismatch occurs
- Log LDAP auth attempts and failures
- Helps diagnose why login is returning 401
This commit is contained in:
Daniel Bedeleanu
2026-04-11 14:55:31 +03:00
parent 483a747600
commit 3c8d50162b

View File

@@ -159,16 +159,24 @@ def login(form_data: schemas.UserLogin, db: Session = Depends(get_db)):
authenticated = False
if user and user.hashed_password:
if verify_password(form_data.password, user.hashed_password):
log.debug(f"Local auth successful for {form_data.username}")
authenticated = True
else:
log.debug(f"Local auth failed: password mismatch for {form_data.username}")
elif user and not user.hashed_password:
log.debug(f"User {form_data.username} exists but has no hashed password (LDAP user), skipping local auth")
# [SECURITY FIX C-02] Bypass for passwordless users has been removed.
# LDAP users must authenticate via the LDAP flow below.
pass
elif not user:
log.debug(f"User {form_data.username} not found in database, will try LDAP")
# If local failed, try LDAP
if not authenticated:
log.debug(f"Local auth failed for {form_data.username}, attempting LDAP")
ldap_role = authenticate_ldap(form_data.username, form_data.password)
if ldap_role:
log.debug(f"LDAP auth successful for {form_data.username}, role={ldap_role}")
authenticated = True
# Cache hash for offline support
new_hash = get_password_hash(form_data.password)
@@ -191,6 +199,7 @@ def login(form_data: schemas.UserLogin, db: Session = Depends(get_db)):
db.commit()
db.refresh(user)
else:
log.warning(f"Login failed: LDAP auth also failed for {form_data.username}")
raise HTTPException(status_code=401, detail="Invalid username or password, or insufficient permissions")
if not authenticated or not user: