From f68038a826cfcf7e331a2cbe1cdc6efb0ba7bb8e Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Wed, 18 Jun 2025 09:20:41 +0000
Subject: [PATCH] Restrict password login to accounts of type 'password' or
 legacy untyped.

Signed-off-by: Jason Volk <jason@zemos.net>
---
 src/api/client/session/password.rs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/api/client/session/password.rs b/src/api/client/session/password.rs
index 2ecb009f..433cd6f0 100644
--- a/src/api/client/session/password.rs
+++ b/src/api/client/session/password.rs
@@ -65,6 +65,17 @@ pub(super) async fn password_login(
 	lowercased_user_id: &UserId,
 	password: &str,
 ) -> Result<OwnedUserId> {
+	// Restrict login to accounts only of type 'password', including untyped
+	// legacy accounts which are equivalent to 'password'.
+	if services
+		.users
+		.origin(user_id)
+		.await
+		.is_ok_and(|origin| origin != "password")
+	{
+		return Err!(Request(Forbidden("Account does not permit password login.")));
+	}
+
 	let (hash, user_id) = services
 		.users
 		.password_hash(user_id)