mirror of
https://github.com/makeplane/plane.git
synced 2026-07-09 12:00:38 +02:00
Bot service accounts (User.is_bot=True, e.g. the WORKSPACE_SEED bot) are internal identities meant to act only through API tokens. Nothing stopped one from being driven through the interactive login flow if its email was known, letting a human assume a service identity. Reject bot accounts at the shared login chokepoint, Adapter.complete_login_or_signup(), right beside the existing deactivated-account check. This covers every interactive provider in one place: email/password, magic code, and all OAuth providers (Google, GitHub, GitLab, Gitea) across both the app and space surfaces. Bot API-token access is left untouched, since that is how bots are meant to operate. Also add a defense-in-depth is_bot guard to InstanceAdminSignInEndpoint, which mints its own admin session outside the chokepoint (a bot is never an InstanceAdmin today, so this is not currently reachable, but it closes the path regardless). Surface the rejection with a new dedicated error code BOT_USER_LOGIN_FORBIDDEN (5017), plumbed into the app and space frontend error helpers as well as the shared @plane/constants and @plane/utils packages (message map + banner-alert list) so any consumer of the shared auth-error handler renders it correctly. The admin path reuses the existing ADMIN_AUTHENTICATION_FAILED code so it discloses no bot-specific error. Add contract regression tests: a bot blocked via password and via magic code, a bot blocked at the admin sign-in endpoint, and a non-bot control that still logs in.