From c62d7d3ac3e05853a0b6ad9ea79b0231fde6993f Mon Sep 17 00:00:00 2001
From: Steve Cliff <steve@devcloud.guru>
Date: Tue, 5 May 2026 13:37:07 +0100
Subject: [PATCH] http: local-login rejects auth_source='oidc' users

---
 internal/server/http/auth.go               |  3 +++
 internal/server/http/oidc_handlers_test.go | 29 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/internal/server/http/auth.go b/internal/server/http/auth.go
index 508c6b4..af37ea8 100644
--- a/internal/server/http/auth.go
+++ b/internal/server/http/auth.go
@@ -56,6 +56,9 @@ func (s *Server) authenticateAndSession(w stdhttp.ResponseWriter, r *stdhttp.Req
 		// existence to a probing attacker.
 		return nil, errInvalidCredentials
 	}
+	if u.AuthSource == "oidc" {
+		return nil, errInvalidCredentials
+	}
 	if err := auth.VerifyPassword(u.PasswordHash, password); err != nil {
 		return nil, errInvalidCredentials
 	}
diff --git a/internal/server/http/oidc_handlers_test.go b/internal/server/http/oidc_handlers_test.go
index 542ea4a..de48ffd 100644
--- a/internal/server/http/oidc_handlers_test.go
+++ b/internal/server/http/oidc_handlers_test.go
@@ -1,7 +1,9 @@
 package http
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	stdhttp "net/http"
 	"net/http/cookiejar"
 	"net/http/httptest"
@@ -262,3 +264,30 @@ func TestOIDCLogoutRedirectsToEndSession(t *testing.T) {
 		t.Errorf("location missing post_logout_redirect_uri: %q", loc)
 	}
 }
+
+func TestLocalLoginRejectsOIDCUser(t *testing.T) {
+	t.Parallel()
+	srv, urlBase := newTestServer(t, false)
+	uid := "u-oidc"
+	sub := "sub-x"
+	if err := srv.deps.Store.CreateUser(t.Context(), store.User{
+		ID: uid, Username: "ouser", PasswordHash: "",
+		Role: store.RoleOperator, CreatedAt: time.Now().UTC(),
+		AuthSource: "oidc", OIDCSubject: &sub,
+	}); err != nil {
+		t.Fatalf("create: %v", err)
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "ouser", "password": "anything",
+	})
+	res, err := stdhttp.Post(urlBase+"/api/auth/login",
+		"application/json", bytes.NewReader(body))
+	if err != nil {
+		t.Fatalf("post: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != stdhttp.StatusUnauthorized {
+		t.Errorf("status: got %d want 401", res.StatusCode)
+	}
+}