Follow-up to #956 (auth hardening review). Missing functionality (minor).
Gap
We have global passwordless methods (magic-link, email-OTP, social), but no per-user flag to disable password login for an individual account. The goal: create users that exist for SSO/API only and cannot password-authenticate, while still retaining their profile fields.
Proposed
- A per-user
password_login_disabled flag (auth_user column or profile field).
/auth/login (+ form) rejects password auth for flagged users with a clear message; magic-link/OTP/social still work.
- Admin user create/edit toggle.
Acceptance
- Flagged user cannot log in with email+password; can still use an enabled passwordless method.
- Unflagged users unaffected.
- Unit + E2E coverage.
Follow-up to #956 (auth hardening review). Missing functionality (minor).
Gap
We have global passwordless methods (magic-link, email-OTP, social), but no per-user flag to disable password login for an individual account. The goal: create users that exist for SSO/API only and cannot password-authenticate, while still retaining their profile fields.
Proposed
password_login_disabledflag (auth_user column or profile field)./auth/login(+ form) rejects password auth for flagged users with a clear message; magic-link/OTP/social still work.Acceptance