mirror of
https://github.com/actualbudget/actual.git
synced 2026-05-07 20:38:54 -05:00
c0c2d1630e
* [AI] Fix password login broken when OIDC is enabled (#7331) The security fix in PR #7155 added an `active = 1` check to `getLoginMethod()`, which prevented password login when OIDC was the active auth method. This caused the server to silently reroute password login requests to the OpenID flow, which fails. Remove the `active` requirement when the client explicitly requests a login method — only require the method to exist in the auth table. The `active` flag still governs the default method via `getActiveLoginMethod()`. The `/change-password` endpoint security protections (admin role + password auth_method checks) remain intact. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add release notes for PR #7334 * Update getLoginMethod to validate client-requested login methods against the auth database Modified the getLoginMethod function to check if the requested login method exists in the auth table before returning it. Updated the corresponding test to reflect that a client-requested method not found in the database will be ignored, ensuring proper handling of login methods. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>