Attempt LDAP bind if password hash isn't Argon2

fniessink · fniessink · commit 0ca0220b895c · 2026-02-06T15:48:09.000+01:00
When using an LDAP server with a password hash scheme other than Argon2, Quality-time would not attempt an LDAP bind to verify the user. Fixes #12595.
diff --git a/components/api_server/src/routes/auth.py b/components/api_server/src/routes/auth.py
@@ -54,10 +54,14 @@ def set_session_cookie(session_id: SessionId, expires_datetime: datetime) -> Non
     bottle.response.set_cookie("session_id", session_id, **options)
 
 
-def check_password(password_hash, password) -> bool:
+def check_password(password_hash: bytes, password: str) -> bool:
     """Check the OpenLDAP password hash against the given password."""
     # Note we currently only support ARGON2 hashes
-    return argon2.PasswordHasher().verify(password_hash.decode().removeprefix("{ARGON2}"), password)
+    hash_prefix = "{ARGON2}"
+    decoded_hash = password_hash.decode()
+    if decoded_hash.startswith(hash_prefix):
+        return argon2.PasswordHasher().verify(decoded_hash.removeprefix(hash_prefix), password)
+    return False
 
 
 def get_credentials() -> tuple[str, str]:
diff --git a/components/api_server/tests/routes/test_auth.py b/components/api_server/tests/routes/test_auth.py
@@ -198,17 +198,17 @@ def test_login_search_error(self, logging_mock, connection_mock, connection_ente
         self.ldap_connection.bind.assert_called_once()
         self.assert_log(logger.exception, exceptions.LDAPResponseTimeoutError)
 
-    @patch("logging.getLogger")
-    def test_login_password_hash_error(self, logging_mock, connection_mock, connection_enter):
-        """Test login fails when LDAP password hash is not ARGON2."""
-        logger = logging_mock.return_value = Mock()
+    @patch("routes.auth.datetime", MOCK_DATETIME)
+    def test_login_no_argon2(self, connection_mock, connection_enter):
+        """Test login proceeds with LDAP bind when LDAP password hash is not ARGON2."""
         connection_mock.return_value = None
         self.ldap_entry.userPassword.value = b"{XSHA}whatever-here"
         connection_enter.return_value = self.ldap_connection
-        self.assertEqual(self.login_nok, login(self.database))
+        self.assertEqual(self.login_ok, login(self.database))
+        self.assert_cookie_has_session_id()
+        self.assert_ldap_lookup_connection_created(connection_mock)
+        self.assert_ldap_bind_connection_created(connection_mock)
         self.assert_ldap_connection_search_called()
-        self.assertEqual(self.LOG_ERROR_MESSAGE_TEMPLATE, logger.exception.call_args_list[0][0][0])
-        self.assert_log(logger.exception, argon2.exceptions.InvalidHashError)
 
     @patch("logging.getLogger")
     def test_login_wrong_password(self, logging_mock, connection_mock, connection_enter):
diff --git a/docs/src/changelog.md b/docs/src/changelog.md
@@ -10,6 +10,12 @@ If your currently installed *Quality-time* version is not the penultimate versio
 
 <!-- The line "## <square-bracket>Unreleased</square-bracket>" is replaced by the release/release.py script with the new release version and release date. -->
 
+## [Unreleased]
+
+### Fixed
+
+- When using an LDAP server with a password hash scheme other than Argon2, Quality-time would not attempt an LDAP bind to verify the user. Fixes [#12595](https://github.com/ICTU/quality-time/issues/12595).
+
 ## v5.48.3 - 2026-01-29
 
 ### Fixed
diff --git a/docs/src/conf.py b/docs/src/conf.py
@@ -88,4 +88,5 @@
     # 404 Client Error: Not Found
     # See https://community.sonarsource.com/t/https-rules-sonarsource-com-down/177294?u=fniessink:
     "https://rules.sonarsource.com/.*",
+    "https://www.ictu.nl/en/about-us",  # False negative: 415 Client Error: Unsupported Media Type
 ]
diff --git a/docs/src/deployment.md b/docs/src/deployment.md
@@ -92,7 +92,7 @@ See [https://ldap.com/ldap-filters/](https://ldap.com/ldap-filters/) for more in
 Quality-time tries two methods to authenticate users:
 
 - If the LDAP-server returns the `userPassword` (containing a hash of the users' password), Quality-time uses that to verify the password. Note that currently only `ARGON2` hashes are supported. Please submit a feature request if you need support for another type of hash.
-- If the `userPassword` is not returned, Quality-time attempts an LDAP-bind.
+- If the `userPassword` is not returned or it is no `ARGON2` hash, Quality-time attempts an LDAP-bind operation using the user's distinguished name as returned by the LDAP-server and the password entered by the user.
 
 ```{index} Forwarded Authentication
 ```
diff --git a/docs/src/versioning.md b/docs/src/versioning.md
@@ -29,7 +29,8 @@ The MongoDB version, the MongoDB feature compatibility, and the migrations all l
 
 | Version    | Date       | Mongo  | FC     | Migrations  | Max. downgrade | Max. upgrade | Manual changes |
 |------------|------------|--------|--------|-------------|----------------|--------------|----------------|
-| v5.48.3    | 2026-01-29 | v8     | v8     |             | v5.47.2        | n/a          | no             |
+| v5.48.4    | 2026-02-06 | v8     | v8     |             | v5.47.2        | n/a          | no             |
+| v5.48.3    | 2026-01-29 | v8     | v8     |             | v5.47.2        | latest       | no             |
 | v5.48.2    | 2026-01-09 | v8     | v8     |             | v5.47.2        | latest       | no             |
 | v5.48.1    | 2025-12-19 | v8     | v8     |             | v5.47.2        | latest       | no             |
 | v5.48.0    | 2025-12-12 | v8     | v8     |             | v5.47.2        | latest       | no             |

Original file line number	Diff line number	Diff line change
`@@ -88,4 +88,5 @@`
`88`	`88`	`# 404 Client Error: Not Found`
`89`	`89`	`# See https://community.sonarsource.com/t/https-rules-sonarsource-com-down/177294?u=fniessink:`
`90`	`90`	`"https://rules.sonarsource.com/.*",`
	`91`	`+ "https://www.ictu.nl/en/about-us", # False negative: 415 Client Error: Unsupported Media Type`
`91`	`92`	`]`