SFTPGo pre-login hook: filters (denied_protocols, denied_login_methods) not applied when creating users dynamically

[tatsiana-komovich]

I am using a pre-login hook to dynamically create users on their first login via OIDC. (If users exists, the script will exit)

SFTPGo version: 2.6.4
Deployment: Kubernetes via Helm chart

Hook type: pre-login hook

My hook returns the following JSON:

cat <<EOF
{
  "status": 1,
  "username": "$USERNAME",
  "has_password": false,
  "permissions": {
    "/": ["*"]
  },
  "filters": {
    "denied_login_methods": [
      "publickey",
      "publickey+password",
      "publickey+keyboard-interactive",
      "TLSCertificate",
      "TLSCertificate+password"
    ],
    "denied_protocols": [
      "SSH",
      "FTP",
      "DAV"
    ]
  }
}
EOF

Expected behavior:
The created user should only be able to access via HTTP (WebClient/REST API using OIDC).

Actual behavior:
The filters seem to not to be applied and filters are not saved in the user profile (in ACL section)

Are denied_protocols and denied_login_methods supported when creating users via pre-login hook?
If so, are there any mandatory fields or limitations when setting filters in dynamic user creation?

Is this the correct way to restrict access to HTTP/WebClient only for OIDC-created users?