fix: avoid double bcrypt on login by using create_session_trusted (#3236)

* fix: avoid double bcrypt on login by adding create_session_trusted * fix: update test to expect create_session_trusted instead of create_session
2026-06-19 19:25:27 -04:00 · 2026-06-07 18:40:53 +05:30
parent 83b0ab7cd3
commit cbbb41dfb1
3 changed files with 11 additions and 7 deletions
@@ -447,6 +447,12 @@ class AuthManager:
        username = username.strip().lower()
        if not self.verify_password(username, password):
            return None
+        return self.create_session_trusted(username)
+
+    def create_session_trusted(self, username: str) -> str:
+        """Issue a session token for an already-verified user.
+        Call only after verify_password (and TOTP if enabled) have passed."""
+        username = username.strip().lower()
        token = secrets.token_hex(32)
        with self._sessions_lock:
            self._sessions[token] = {