Skip to content

Per-user disableLocalStrategy (SSO-only accounts) #958

Description

@lane711

Follow-up to #956 (auth hardening review). Missing functionality (minor).

Gap

We have global passwordless methods (magic-link, email-OTP, social), but no per-user flag to disable password login for an individual account. The goal: create users that exist for SSO/API only and cannot password-authenticate, while still retaining their profile fields.

Proposed

  • A per-user password_login_disabled flag (auth_user column or profile field).
  • /auth/login (+ form) rejects password auth for flagged users with a clear message; magic-link/OTP/social still work.
  • Admin user create/edit toggle.

Acceptance

  • Flagged user cannot log in with email+password; can still use an enabled passwordless method.
  • Unflagged users unaffected.
  • Unit + E2E coverage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity vulnerabilities

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions