fix: simplify credentials provider authorization flow (#25563)

emrysal · devin-ai-integration[bot] · web-flow · commit 63d1361a7a99 · 2025-12-03T09:21:20.000Z
Co-authored-by: Devin AI &lt;158243242+devin-ai-integration[bot]@users.noreply.github.com&gt;
diff --git a/packages/features/auth/lib/next-auth-options.ts b/packages/features/auth/lib/next-auth-options.ts
@@ -169,21 +169,15 @@ const providers: Provider[] = [
         identifier: hashEmail(user.email),
       });
 
-      if (!user.password?.hash && user.identityProvider !== IdentityProvider.CAL && !credentials.totpCode) {
-        throw new Error(ErrorCode.IncorrectEmailPassword);
-      }
-      if (!user.password?.hash && user.identityProvider == IdentityProvider.CAL) {
+      // Users without a password must use their identity provider (Google/SAML) to login
+      if (!user.password?.hash) {
         throw new Error(ErrorCode.IncorrectEmailPassword);
       }
 
-      if (user.password?.hash && !credentials.totpCode) {
-        if (!user.password?.hash) {
-          throw new Error(ErrorCode.IncorrectEmailPassword);
-        }
-        const isCorrectPassword = await verifyPassword(credentials.password, user.password.hash);
-        if (!isCorrectPassword) {
-          throw new Error(ErrorCode.IncorrectEmailPassword);
-        }
+      // Always verify password for users who have one
+      const isCorrectPassword = await verifyPassword(credentials.password, user.password.hash);
+      if (!isCorrectPassword) {
+        throw new Error(ErrorCode.IncorrectEmailPassword);
       }
 
       if (user.twoFactorEnabled && credentials.backupCode) {
