Attempt LDAP bind if password hash isn't Argon2

fniessink · fniessink · commit 34092ebf2440 · 2026-02-06T15:13:01.000+01:00
When using an LDAP server with a password hash scheme other than Argon2, Quality-time would not attempt an LDAP bind to verify the user. Fixes #12595.
diff --git a/components/api_server/src/routes/auth.py b/components/api_server/src/routes/auth.py
@@ -54,10 +54,13 @@ def set_session_cookie(session_id: SessionId, expires_datetime: datetime) -> Non
     bottle.response.set_cookie("session_id", session_id, **options)
 
 
-def check_password(password_hash, password) -> bool:
+def check_password(password_hash: bytes, password: str) -> bool:
     """Check the OpenLDAP password hash against the given password."""
     # Note we currently only support ARGON2 hashes
-    return argon2.PasswordHasher().verify(password_hash.decode().removeprefix("{ARGON2}"), password)
+    decoded_hash = password_hash.decode()
+    if decoded_hash.startswith("{ARGON2}"):
+        return argon2.PasswordHasher().verify(decoded_hash.removeprefix("{ARGON2}"), password)
+    return False
 
 
 def get_credentials() -> tuple[str, str]:
diff --git a/components/api_server/tests/routes/test_auth.py b/components/api_server/tests/routes/test_auth.py
@@ -198,17 +198,17 @@ def test_login_search_error(self, logging_mock, connection_mock, connection_ente
         self.ldap_connection.bind.assert_called_once()
         self.assert_log(logger.exception, exceptions.LDAPResponseTimeoutError)
 
-    @patch("logging.getLogger")
-    def test_login_password_hash_error(self, logging_mock, connection_mock, connection_enter):
-        """Test login fails when LDAP password hash is not ARGON2."""
-        logger = logging_mock.return_value = Mock()
+    @patch("routes.auth.datetime", MOCK_DATETIME)
+    def test_login_no_argon2(self, connection_mock, connection_enter):
+        """Test login proceeds with LDAP bind when LDAP password hash is not ARGON2."""
         connection_mock.return_value = None
         self.ldap_entry.userPassword.value = b"{XSHA}whatever-here"
         connection_enter.return_value = self.ldap_connection
-        self.assertEqual(self.login_nok, login(self.database))
+        self.assertEqual(self.login_ok, login(self.database))
+        self.assert_cookie_has_session_id()
+        self.assert_ldap_lookup_connection_created(connection_mock)
+        self.assert_ldap_bind_connection_created(connection_mock)
         self.assert_ldap_connection_search_called()
-        self.assertEqual(self.LOG_ERROR_MESSAGE_TEMPLATE, logger.exception.call_args_list[0][0][0])
-        self.assert_log(logger.exception, argon2.exceptions.InvalidHashError)
 
     @patch("logging.getLogger")
     def test_login_wrong_password(self, logging_mock, connection_mock, connection_enter):
diff --git a/docs/src/changelog.md b/docs/src/changelog.md
@@ -10,6 +10,12 @@ If your currently installed *Quality-time* version is not the penultimate versio
 
 <!-- The line "## <square-bracket>Unreleased</square-bracket>" is replaced by the release/release.py script with the new release version and release date. -->
 
+## [Unreleased]
+
+### Fixed
+
+- When using an LDAP server with a password hash scheme other than Argon2, Quality-time would not attempt an LDAP bind to verify the user. Fixes [#12595](https://github.com/ICTU/quality-time/issues/12595).
+
 ## v5.48.3 - 2026-01-29
 
 ### Fixed
