Skip to content

feat(login): accept account code / name / email / phone (William punch list #2)#142

Open
codegeek718 wants to merge 1 commit into
developfrom
feat/multi-format-signin
Open

feat(login): accept account code / name / email / phone (William punch list #2)#142
codegeek718 wants to merge 1 commit into
developfrom
feat/multi-format-signin

Conversation

@codegeek718

@codegeek718 codegeek718 commented Jul 1, 2026

Copy link
Copy Markdown

Summary

the signin form now accepts any of: account code (QID or short), username, full name, email, or phone. cgmembers PHP owns the matching rules via the new /cgpay-lookup endpoint; this PR wires the SvelteKit side to it.

What's in this PR

File Change
web/src/routes/api/login/+server.ts Adds phpLookup(identifier) helper (POSTs to /cgpay-lookup), replaces the SQL WHERE LOWER(name) = LOWER(?) lookup with a uid returned from PHP -> then SELECT ... WHERE uid = ? for the password hash. Accepts new identifier body field, still reads legacy name for backwards compat. Error message changed from "Invalid username or password" to "Invalid account ID or password".
web/src/routes/login/+page.svelte Renames the name state to identifier, updates the form label to Account ID and placeholder to account code, name, email, or phone. Posts { identifier, password } to the API.

Timing safety

The dummy-hash pattern is preserved: checkPassword always runs, either against the real user's pass (when the lookup finds them) or against DUMMY_HASH (when it doesn't). Response time stays constant regardless of whether the identifier matches.

Companion PR

cgmembers-frame #37 - the PHP /cgpay-lookup endpoint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant