From 4983c3fc349b94a8ff357bca9c734c6d4ccbac42 Mon Sep 17 00:00:00 2001
From: Raffael Meyer <14891507+barredterra@users.noreply.github.com>
Date: Mon, 28 Jul 2025 06:34:10 +0200
Subject: [PATCH] fix: prevent logout due to empty "Password" field (#29158)

* fix: prevent logout due to empty "Password" field

* fix: validate_api_key_secret

- We don't want get decrypted password to raise a ValidationError
- If api_key, api_secret or doc_secret are empty, we want an AuthenticationError
---
 frappe/auth.py           | 7 +++++--
 frappe/utils/password.py | 3 +--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/frappe/auth.py b/frappe/auth.py
index 9e4e66dda0..f667138ea1 100644
--- a/frappe/auth.py
+++ b/frappe/auth.py
@@ -704,6 +704,9 @@ def validate_auth_via_api_keys(authorization_header):
 
 def validate_api_key_secret(api_key, api_secret, frappe_authorization_source=None):
 	"""frappe_authorization_source to provide api key and secret for a doctype apart from User"""
+	if not api_key or not api_secret:
+		raise frappe.AuthenticationError
+
 	doctype = frappe_authorization_source or "User"
 	docname = frappe.db.get_value(
 		doctype=doctype, filters={"api_key": api_key, "enabled": True}, fieldname=["name"]
@@ -711,8 +714,8 @@ def validate_api_key_secret(api_key, api_secret, frappe_authorization_source=Non
 	if not docname:
 		raise frappe.AuthenticationError
 	form_dict = frappe.local.form_dict
-	doc_secret = get_decrypted_password(doctype, docname, fieldname="api_secret")
-	if api_secret == doc_secret:
+	doc_secret = get_decrypted_password(doctype, docname, fieldname="api_secret", raise_exception=False)
+	if doc_secret and api_secret == doc_secret:
 		if doctype == "User":
 			user = frappe.db.get_value(doctype="User", filters={"api_key": api_key}, fieldname=["name"])
 		else:
diff --git a/frappe/utils/password.py b/frappe/utils/password.py
index db3e0ff09d..0393cd69dd 100644
--- a/frappe/utils/password.py
+++ b/frappe/utils/password.py
@@ -42,10 +42,9 @@ def get_decrypted_password(doctype, name, fieldname="password", raise_exception=
 
 			return None
 
-	elif raise_exception:
+	if raise_exception:
 		frappe.throw(
 			_("Password not found for {0} {1} {2}").format(doctype, name, fieldname),
-			frappe.AuthenticationError,
 		)