security: remove APP_PASSWORD_HASH login fallback — email+password required

Author: AmmarSaleh50

.env.example

@@ -1,8 +1,10 @@
 # ─── Backend (.env at repo root — read by the openstudy container) ─────────
 
-# Argon2id hash of the password that gates the app. Generate with:
-#   docker run --rm python:3.12-slim sh -c \
-#     'pip install -q argon2-cffi && python -c "from argon2 import PasswordHasher; print(PasswordHasher().hash(input(\"password: \")))"'
+# Bootstrap-only: the scripts/seed_operator_password.py script reads this on
+# first deploy to set users.password_hash for the operator account in the DB.
+# After that, login uses users.password_hash from the DB — this env var is no
+# longer read at request time. Generate the hash with:
+#   uv run app/tools/hashpw.py
 APP_PASSWORD_HASH=
 
 # Random secret for session signing. REQUIRED — app refuses to start without one.

app/auth.py

@@ -86,19 +86,6 @@ def hash_password(plain: str) -> str:
     return _ph.hash(plain)
 
 
-def verify_password(plain: str) -> bool:
-    s = get_settings()
-    if not s.app_password_hash:
-        return False
-    try:
-        _ph.verify(s.app_password_hash, plain)
-        return True
-    except VerifyMismatchError:
-        return False
-    except Exception:
-        return False
-
-
 async def verify_password_for_user(email: str, plain: str) -> Optional[User]:
     """Look up user by email; argon2-verify; return User or None.
 

app/config.py

@@ -12,7 +12,6 @@ class Settings(BaseSettings):
     )
 
     # Auth
-    app_password_hash: str = Field(default="")
     # No default — production deploys must set SESSION_SECRET. The setter
     # below raises if it's left empty so we fail-closed instead of signing
     # cookies with a publicly-known string.

app/routers/auth.py

@@ -12,10 +12,8 @@
     issue_session,
     optional_auth,
     require_auth,
-    verify_password,
     verify_password_for_user,
     verify_totp,
-    _sentinel_user,
 )
 from ..ratelimit import check_login_rate, record_login_attempt, check_auth_rate
 from ..schemas import LoginRequest, SessionInfo, TotpSetupResponse, TotpVerifyRequest, SignupRequest, ForgotRequest, ResetRequest
@@ -34,16 +32,7 @@ def _verify_totp_code(code: str, secret: str) -> bool:
 async def login(body: LoginRequest, request: Request, response: Response) -> SessionInfo:
     await check_login_rate(request)
 
-    user: Optional[User] = None
-
-    if body.email:
-        # Email+password path: lookup + argon2 verify
-        user = await verify_password_for_user(body.email, body.password)
-    else:
-        # Operator-legacy fallback: verify against APP_PASSWORD_HASH
-        legacy_ok = verify_password(body.password)
-        if legacy_ok:
-            user = _sentinel_user()
+    user: Optional[User] = await verify_password_for_user(body.email, body.password)
 
     if user is None:
         await record_login_attempt(request, False)

app/schemas.py

@@ -392,7 +392,7 @@ class DashboardSummary(BaseModel):
 
 # ---------- Auth ----------
 class LoginRequest(BaseModel):
-    email: Optional[str] = None  # If omitted, falls back to operator-legacy
+    email: str
     password: str
     totp_code: Optional[str] = None
 

tests/mcp/test_bearer_user_binding.py

@@ -20,24 +20,19 @@
 
 import pytest
 import pytest_asyncio
-from argon2 import PasswordHasher
 from httpx import ASGITransport, AsyncClient
 
 import app.db as db_module
 from app.config import get_settings
 
 
-_TEST_PASSWORD = "test-password-1234"
-_TEST_PASSWORD_HASH = PasswordHasher().hash(_TEST_PASSWORD)
-
 _USER_A_ID = "00000000-0000-0000-0000-000000000001"  # operator (already seeded)
 _USER_B_ID = "11111111-1111-1111-1111-111111111111"
 
 
 @pytest_asyncio.fixture
 async def https_client(db_conn, monkeypatch):
     """https://test base_url so Secure cookies survive the round-trip."""
-    monkeypatch.setenv("APP_PASSWORD_HASH", _TEST_PASSWORD_HASH)
     get_settings.cache_clear()
     monkeypatch.setattr(db_module, "_pool", db_conn)
 

tests/test_integration_full_flow.py

@@ -27,12 +27,19 @@
 _TEST_PASSWORD_HASH = PasswordHasher().hash(_TEST_PASSWORD)
 
 
+_OPERATOR_EMAIL = "operator@local"
+
+
 @pytest_asyncio.fixture
 async def https_client(db_conn, monkeypatch):
     """Like the conftest `client` fixture but with `https://test` base_url
-    so Secure cookies survive the round-trip, plus a known
-    APP_PASSWORD_HASH so /api/auth/login can succeed."""
-    monkeypatch.setenv("APP_PASSWORD_HASH", _TEST_PASSWORD_HASH)
+    so Secure cookies survive the round-trip. Seeds the operator's
+    password_hash directly in the DB so /api/auth/login can succeed."""
+    async with db_conn.connection() as conn, conn.cursor() as cur:
+        await cur.execute(
+            "UPDATE users SET password_hash = %s WHERE email = %s",
+            (_TEST_PASSWORD_HASH, _OPERATOR_EMAIL),
+        )
     get_settings.cache_clear()
     monkeypatch.setattr(db_module, "_pool", db_conn)
 
@@ -66,7 +73,7 @@ async def test_oauth_full_lifecycle(https_client, db_conn):
 
     # 2. Login with the test password (no TOTP yet).
     login = await https_client.post(
-        "/api/auth/login", json={"password": _TEST_PASSWORD}
+        "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": _TEST_PASSWORD}
     )
     assert login.status_code == 200, login.text
     assert https_client.cookies.get("study_session")
@@ -166,20 +173,20 @@ async def test_login_rate_limit_then_success(https_client, db_conn):
     # 5 failed attempts: each 401 with "invalid credentials".
     for _ in range(5):
         bad = await https_client.post(
-            "/api/auth/login", json={"password": "wrong"}
+            "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": "wrong"}
         )
         assert bad.status_code == 401, bad.text
 
     # 6th attempt: bucket is full → 429 BEFORE reaching verify_password.
     capped = await https_client.post(
-        "/api/auth/login", json={"password": "wrong"}
+        "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": "wrong"}
     )
     assert capped.status_code == 429, capped.text
 
     # Even a correct password is rejected once rate-limited (the limit is
-    # checked BEFORE verify_password).
+    # checked BEFORE verify_password_for_user).
     still_capped = await https_client.post(
-        "/api/auth/login", json={"password": _TEST_PASSWORD}
+        "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": _TEST_PASSWORD}
     )
     assert still_capped.status_code == 429
 
@@ -190,7 +197,7 @@ async def test_login_rate_limit_then_success(https_client, db_conn):
 
     # Correct password now succeeds.
     ok = await https_client.post(
-        "/api/auth/login", json={"password": _TEST_PASSWORD}
+        "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": _TEST_PASSWORD}
     )
     assert ok.status_code == 200, ok.text
     assert https_client.cookies.get("study_session")
@@ -202,9 +209,9 @@ async def test_login_rate_limit_then_success(https_client, db_conn):
 
 @pytest.mark.asyncio
 async def test_totp_enroll_and_login(https_client, db_conn):
-    # 1. Login with password only (TOTP not yet enabled).
+    # 1. Login with email + password (TOTP not yet enabled).
     login = await https_client.post(
-        "/api/auth/login", json={"password": _TEST_PASSWORD}
+        "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": _TEST_PASSWORD}
     )
     assert login.status_code == 200, login.text
 
@@ -224,25 +231,26 @@ async def test_totp_enroll_and_login(https_client, db_conn):
     # Drop the cookie so subsequent /login attempts are unauthenticated.
     https_client.cookies.clear()
 
-    # 4. Password without code → 401 totp_required.
+    # 4. Email + password without code → 401 totp_required.
     pw_only = await https_client.post(
-        "/api/auth/login", json={"password": _TEST_PASSWORD}
+        "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": _TEST_PASSWORD}
     )
     assert pw_only.status_code == 401, pw_only.text
     assert pw_only.json()["detail"] == "totp_required"
 
-    # 5. Password + wrong code → 401 invalid totp.
+    # 5. Email + password + wrong code → 401 invalid totp.
     bad_code = await https_client.post(
         "/api/auth/login",
-        json={"password": _TEST_PASSWORD, "totp_code": "000000"},
+        json={"email": _OPERATOR_EMAIL, "password": _TEST_PASSWORD, "totp_code": "000000"},
     )
     assert bad_code.status_code == 401, bad_code.text
     assert bad_code.json()["detail"] == "invalid totp code"
 
-    # 6. Password + correct code → 200, cookie set.
+    # 6. Email + password + correct code → 200, cookie set.
     good = await https_client.post(
         "/api/auth/login",
         json={
+            "email": _OPERATOR_EMAIL,
             "password": _TEST_PASSWORD,
             "totp_code": pyotp.TOTP(secret).now(),
         },
@@ -253,18 +261,9 @@ async def test_totp_enroll_and_login(https_client, db_conn):
 
 @pytest.mark.asyncio
 async def test_login_with_email_and_password(https_client, db_conn):
-    """The new email+password path works against an operator-seeded user."""
-    # Operator user is seeded by Phase 1 migration with NULL password_hash.
-    # Set a password hash directly via SQL (mimicking the seed script).
-    pw_hash = PasswordHasher().hash(_TEST_PASSWORD)
-    async with db_conn.connection() as conn, conn.cursor() as cur:
-        await cur.execute(
-            "UPDATE users SET password_hash = %s WHERE email = 'operator@local'",
-            (pw_hash,),
-        )
-    # Now login with email + password
+    """Email+password login works; password_hash is seeded by the fixture."""
     resp = await https_client.post("/api/auth/login", json={
-        "email": "operator@local",
+        "email": _OPERATOR_EMAIL,
         "password": _TEST_PASSWORD,
     })
     assert resp.status_code == 200, resp.text

tests/test_integration_routes.py

@@ -56,10 +56,10 @@ async def test_dashboard_aggregates_every_service(db_conn, monkeypatch):
 
 @pytest.mark.asyncio
 async def test_login_flow_uses_async_db_paths(client, db_conn, monkeypatch):
-    """Drive /auth/login through the async ratelimit + auth.get_totp_state
-    paths. Expects a 401 (no password configured, but the request must reach
+    """Drive /auth/login through the async ratelimit + verify_password_for_user
+    paths. Expects a 401 (unknown email, but the request must reach
     that error rather than 500-ing on a missed await)."""
-    # No app_password_hash configured → verify_password returns False → 401.
-    resp = await client.post("/api/auth/login", json={"password": "irrelevant"})
+    # Unknown email → verify_password_for_user returns None → 401.
+    resp = await client.post("/api/auth/login", json={"email": "nobody@test.local", "password": "irrelevant"})
     assert resp.status_code == 401, resp.text
     assert resp.json()["detail"] == "invalid credentials"

tests/test_oauth_consent_csrf.py

@@ -20,11 +20,16 @@
 
 _TEST_PASSWORD = "test-password-csrf"
 _TEST_PASSWORD_HASH = PasswordHasher().hash(_TEST_PASSWORD)
+_OPERATOR_EMAIL = "operator@local"
 
 
 @pytest_asyncio.fixture
 async def https_client(db_conn, monkeypatch):
-    monkeypatch.setenv("APP_PASSWORD_HASH", _TEST_PASSWORD_HASH)
+    async with db_conn.connection() as conn, conn.cursor() as cur:
+        await cur.execute(
+            "UPDATE users SET password_hash = %s WHERE email = %s",
+            (_TEST_PASSWORD_HASH, _OPERATOR_EMAIL),
+        )
     get_settings.cache_clear()
     monkeypatch.setattr(db_module, "_pool", db_conn)
 
@@ -57,7 +62,7 @@ async def _register_and_login(client: AsyncClient) -> str:
     client_id = reg.json()["client_id"]
 
     login = await client.post(
-        "/api/auth/login", json={"password": _TEST_PASSWORD}
+        "/api/auth/login", json={"email": _OPERATOR_EMAIL, "password": _TEST_PASSWORD}
     )
     assert login.status_code == 200
     return client_id