fix: prevent logout due to empty "Password" field (#29158)

* fix: prevent logout due to empty "Password" field

* fix: validate_api_key_secret

- We don't want get decrypted password to raise a ValidationError
- If api_key, api_secret or doc_secret are empty, we want an AuthenticationError

frappe/auth.py

@@ -704,6 +704,9 @@ def validate_auth_via_api_keys(authorization_header):
 
 def validate_api_key_secret(api_key, api_secret, frappe_authorization_source=None):
 	"""frappe_authorization_source to provide api key and secret for a doctype apart from User"""
+	if not api_key or not api_secret:
+		raise frappe.AuthenticationError
+
 	doctype = frappe_authorization_source or "User"
 	docname = frappe.db.get_value(
 		doctype=doctype, filters={"api_key": api_key, "enabled": True}, fieldname=["name"]
@@ -711,8 +714,8 @@ def validate_api_key_secret(api_key, api_secret, frappe_authorization_source=Non
 	if not docname:
 		raise frappe.AuthenticationError
 	form_dict = frappe.local.form_dict
-	doc_secret = get_decrypted_password(doctype, docname, fieldname="api_secret")
-	if api_secret == doc_secret:
+	doc_secret = get_decrypted_password(doctype, docname, fieldname="api_secret", raise_exception=False)
+	if doc_secret and api_secret == doc_secret:
 		if doctype == "User":
 			user = frappe.db.get_value(doctype="User", filters={"api_key": api_key}, fieldname=["name"])
 		else:

frappe/utils/password.py

@@ -42,10 +42,9 @@ def get_decrypted_password(doctype, name, fieldname="password", raise_exception=
 
 			return None
 
-	elif raise_exception:
+	if raise_exception:
 		frappe.throw(
 			_("Password not found for {0} {1} {2}").format(doctype, name, fieldname),
-			frappe.AuthenticationError,
 		)