From 3c8d50162be3ebd7ce3acf7c210a9864869bed45 Mon Sep 17 00:00:00 2001 From: Daniel Bedeleanu Date: Sat, 11 Apr 2026 14:55:31 +0300 Subject: [PATCH] debug: add detailed logging to login authentication flow - Log when local auth succeeds/fails - Log when password mismatch occurs - Log LDAP auth attempts and failures - Helps diagnose why login is returning 401 --- backend/routers/users.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/backend/routers/users.py b/backend/routers/users.py index 4a3cdb72..22b82f10 100644 --- a/backend/routers/users.py +++ b/backend/routers/users.py @@ -159,16 +159,24 @@ def login(form_data: schemas.UserLogin, db: Session = Depends(get_db)): authenticated = False if user and user.hashed_password: if verify_password(form_data.password, user.hashed_password): + log.debug(f"Local auth successful for {form_data.username}") authenticated = True + else: + log.debug(f"Local auth failed: password mismatch for {form_data.username}") elif user and not user.hashed_password: + log.debug(f"User {form_data.username} exists but has no hashed password (LDAP user), skipping local auth") # [SECURITY FIX C-02] Bypass for passwordless users has been removed. # LDAP users must authenticate via the LDAP flow below. pass + elif not user: + log.debug(f"User {form_data.username} not found in database, will try LDAP") # If local failed, try LDAP if not authenticated: + log.debug(f"Local auth failed for {form_data.username}, attempting LDAP") ldap_role = authenticate_ldap(form_data.username, form_data.password) if ldap_role: + log.debug(f"LDAP auth successful for {form_data.username}, role={ldap_role}") authenticated = True # Cache hash for offline support new_hash = get_password_hash(form_data.password) @@ -191,6 +199,7 @@ def login(form_data: schemas.UserLogin, db: Session = Depends(get_db)): db.commit() db.refresh(user) else: + log.warning(f"Login failed: LDAP auth also failed for {form_data.username}") raise HTTPException(status_code=401, detail="Invalid username or password, or insufficient permissions") if not authenticated or not user: