Auth: Keep OTP Auth and AppPasswords unless the remote directory provides new ones (fixes #2319)

2025-12-09 21:05:59 +08:00 · 2025-10-26 16:16:22 +01:00 · 2025-10-26 16:16:22 +01:00 · 2c2dd52a61
commit 2c2dd52a61
parent 8cee757d7f
1 changed files with 12 additions and 2 deletions
--- a/crates/directory/src/core/principal.rs
+++ b/crates/directory/src/core/principal.rs
@ -308,6 +308,8 @@ impl Principal {
        let mut has_role = false;
        let mut has_member_of = false;
        let mut has_quota = false;
+        let mut has_otp_auth = false;
+        let mut has_app_password = false;

        for item in external.data {
            match item {
@ -323,9 +325,15 @@ impl Principal {
                    has_role = true;
                    external_data.insert(item);
                }
+                PrincipalData::OtpAuth(_) => {
+                    has_otp_auth = true;
+                    external_data.insert(item);
+                }
+                PrincipalData::AppPassword(_) => {
+                    has_app_password = true;
+                    external_data.insert(item);
+                }
                PrincipalData::Password(_)
-                | PrincipalData::AppPassword(_)
-                | PrincipalData::OtpAuth(_)
                | PrincipalData::Description(_)
                | PrincipalData::PrimaryEmail(_)
                | PrincipalData::EmailAlias(_) => {
@ -352,6 +360,8 @@ impl Principal {
                    if external_data.remove(&item)
                        || match item {
                            PrincipalData::EmailAlias(_) => true,
+                            PrincipalData::AppPassword(_) => !has_app_password,
+                            PrincipalData::OtpAuth(_) => !has_otp_auth,
                            PrincipalData::Role(_) => !has_role,
                            PrincipalData::MemberOf(_) => !has_member_of,
                            PrincipalData::DiskQuota(_) => !has_quota,