arize-phoenix 9.6.0__py3-none-any.whl → 10.0.0__py3-none-any.whl

phoenix/db/migrations/versions/6a88424799fe_update_users_with_auth_method.py

@@ -0,0 +1,179 @@
+"""Add auth_method column to users table and migrate existing authentication data.
+
+This migration:
+1. Adds a new 'auth_method' column to the users table that indicates whether a user
+   authenticates via local password ('LOCAL') or external OAuth2 ('OAUTH2')
+2. Migrates existing authentication data to populate the new column:
+   - Sets 'LOCAL' for users with password_hash
+   - Sets 'OAUTH2' for users with OAuth2 credentials
+3. Adds appropriate constraints to ensure data integrity:
+   - NOT NULL constraint on auth_method
+   - 'valid_auth_method': ensures only 'LOCAL' or 'OAUTH2' values
+   - 'local_auth_has_password_no_oauth': ensures LOCAL users have password credentials and
+     do not have OAuth2 credentials
+   - 'non_local_auth_has_no_password': ensures OAUTH2 users do not have password credentials
+4. Removes legacy constraints that are replaced by the new column:
+   - 'password_hash_and_salt': ensures password_hash and password_salt are consistent
+   - 'exactly_one_auth_method': replaced by auth_method column and its constraints
+   - 'oauth2_client_id_and_user_id': replaced by auth_method column and its constraints
+5. Drops redundant single column indices:
+   - 'ix_users_oauth2_client_id' and 'ix_users_oauth2_user_id' are removed as they are
+     redundant with the unique constraint 'uq_users_oauth2_client_id_oauth2_user_id',
+     which already provides the necessary composite index for lookups
+
+The migration uses batch_alter_table to ensure compatibility with both SQLite and PostgreSQL.
+This approach allows us to:
+- Add the column as nullable initially
+- Update the values based on existing authentication data
+- Make the column NOT NULL after populating
+- Add appropriate constraints
+- Remove legacy constraints
+- Drop redundant indices
+
+The downgrade path:
+1. Recreates the legacy constraints:
+   - 'password_hash_and_salt': ensures password_hash and password_salt are consistent
+   - 'exactly_one_auth_method': ensures exactly one auth method is set
+   - 'oauth2_client_id_and_user_id': ensures OAuth2 credentials are consistent
+2. Removes the auth_method column and its associated constraints
+3. Recreates the single column indices to maintain backward compatibility:
+   - 'ix_users_oauth2_client_id'
+   - 'ix_users_oauth2_user_id'
+
+Revision ID: 6a88424799fe
+Revises: 8a3764fe7f1a
+Create Date: 2025-05-01 08:08:22.700715
+
+"""  # noqa: E501
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "6a88424799fe"
+down_revision: Union[str, None] = "8a3764fe7f1a"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade the database schema to include the auth_method column.
+
+    This function:
+    1. Adds the auth_method column as nullable
+    2. Populates the column based on existing authentication data:
+       - 'LOCAL' for users with password_hash
+       - 'OAUTH2' for users with OAuth2 credentials
+    3. Makes the column NOT NULL after populating
+    4. Adds CHECK constraints to ensure data integrity:
+       - 'valid_auth_method': ensures only 'LOCAL' or 'OAUTH2' values
+       - 'local_auth_has_password_no_oauth': ensures LOCAL users have password credentials and
+          do not have OAuth2 credentials
+       - 'non_local_auth_has_no_password': ensures OAUTH2 users do not have password credentials
+    5. Removes legacy constraints that are replaced by the new column:
+       - 'password_hash_and_salt'
+       - 'exactly_one_auth_method'
+       - 'oauth2_client_id_and_user_id'
+    6. Drops redundant single column indices:
+       - 'ix_users_oauth2_client_id' and 'ix_users_oauth2_user_id' are removed as they are
+         redundant with the unique constraint 'uq_users_oauth2_client_id_oauth2_user_id',
+         which already provides the necessary composite index for lookups
+
+    The implementation uses batch_alter_table for compatibility with both
+    SQLite and PostgreSQL databases.
+
+    Raises:
+        sqlalchemy.exc.SQLAlchemyError: If database operations fail
+    """  # noqa: E501
+    with op.batch_alter_table("users") as batch_op:
+        # For SQLite, first add the column as nullable
+        batch_op.add_column(sa.Column("auth_method", sa.String, nullable=True))
+
+    with op.batch_alter_table("users") as batch_op:
+        batch_op.execute("""
+            UPDATE users
+            SET auth_method = CASE
+            WHEN password_hash IS NOT NULL THEN 'LOCAL' ELSE 'OAUTH2' END
+        """)
+        # Make the column non-nullable
+        batch_op.alter_column("auth_method", nullable=False, existing_nullable=True)
+
+        # Drop both old constraints as they're now redundant
+        batch_op.drop_constraint("password_hash_and_salt", type_="check")
+        batch_op.drop_constraint("exactly_one_auth_method", type_="check")
+        batch_op.drop_constraint("oauth2_client_id_and_user_id", type_="check")
+
+        # Drop redundant single column indices, because a composite index already
+        # exists in the uniqueness constraint for (client_id, user_id)
+        batch_op.drop_index("ix_users_oauth2_client_id")
+        batch_op.drop_index("ix_users_oauth2_user_id")
+
+        # Add CHECK constraint to ensure only valid values are allowed
+        batch_op.create_check_constraint(
+            "valid_auth_method",
+            "auth_method IN ('LOCAL', 'OAUTH2')",
+        )
+        batch_op.create_check_constraint(
+            "local_auth_has_password_no_oauth",
+            "auth_method != 'LOCAL' "
+            "OR (password_hash IS NOT NULL AND password_salt IS NOT NULL "
+            "AND oauth2_client_id IS NULL AND oauth2_user_id IS NULL)",
+        )
+        batch_op.create_check_constraint(
+            "non_local_auth_has_no_password",
+            "auth_method = 'LOCAL' OR (password_hash IS NULL AND password_salt IS NULL)",
+        )
+
+
+def downgrade() -> None:
+    """Downgrade the database schema by removing the auth_method column.
+
+    This function:
+    1. Recreates the legacy constraints that were removed in the upgrade:
+       - 'password_hash_and_salt': ensures password_hash and password_salt are consistent
+       - 'exactly_one_auth_method': ensures exactly one auth method is set
+       - 'oauth2_client_id_and_user_id': ensures OAuth2 credentials are consistent
+    2. Removes the auth_method column and its associated CHECK constraints:
+       - 'non_local_auth_has_no_password'
+       - 'local_auth_has_password_no_oauth'
+       - 'valid_auth_method'
+    3. Recreates the single column indices to maintain backward compatibility:
+       - 'ix_users_oauth2_client_id'
+       - 'ix_users_oauth2_user_id'
+
+    The implementation uses batch_alter_table to ensure compatibility with both
+    SQLite and PostgreSQL databases.
+
+    Raises:
+        sqlalchemy.exc.SQLAlchemyError: If database operations fail
+    """  # noqa: E501
+    # Use batch_alter_table for SQLite compatibility
+    # This ensures the downgrade works on both SQLite and PostgreSQL
+    with op.batch_alter_table("users") as batch_op:
+        # Drop the CHECK constraint and column
+        batch_op.drop_constraint("non_local_auth_has_no_password", type_="check")
+        batch_op.drop_constraint("local_auth_has_password_no_oauth", type_="check")
+        batch_op.drop_constraint("valid_auth_method", type_="check")
+
+        # Recreate single column indices
+        batch_op.create_index("ix_users_oauth2_user_id", ["oauth2_user_id"])
+        batch_op.create_index("ix_users_oauth2_client_id", ["oauth2_client_id"])
+
+        # Recreate both old constraints that were dropped in upgrade
+        batch_op.create_check_constraint(
+            "oauth2_client_id_and_user_id",
+            "(oauth2_client_id IS NULL) = (oauth2_user_id IS NULL)",
+        )
+        batch_op.create_check_constraint(
+            "exactly_one_auth_method",
+            "(password_hash IS NULL) != (oauth2_client_id IS NULL)",
+        )
+        batch_op.create_check_constraint(
+            "password_hash_and_salt",
+            "(password_hash IS NULL) = (password_salt IS NULL)",
+        )
+
+        # Remove added column
+        batch_op.drop_column("auth_method")

phoenix/db/models.py

@@ -1,5 +1,4 @@
 from datetime import datetime, timezone
-from enum import Enum
 from typing import Any, Iterable, Literal, Optional, Sequence, TypedDict, cast
 
 import sqlalchemy.sql as sql
@@ -23,7 +22,6 @@ from sqlalchemy import (
     case,
     func,
     insert,
-    not_,
     select,
     text,
 )
@@ -42,6 +40,7 @@ from sqlalchemy.orm import (
 from sqlalchemy.sql import Values, column, compiler, expression, literal, roles, union_all
 from sqlalchemy.sql.compiler import SQLCompiler
 from sqlalchemy.sql.functions import coalesce
+from typing_extensions import TypeAlias
 
 from phoenix.config import get_env_database_schema
 from phoenix.datetime_utils import normalize_datetime
@@ -147,9 +146,7 @@ def render_values_w_union(
     return compiler.process(subquery, from_linter=from_linter, **kw)
 
 
-class AuthMethod(Enum):
-    LOCAL = "LOCAL"
-    OAUTH2 = "OAUTH2"
+AuthMethod: TypeAlias = Literal["LOCAL", "OAUTH2"]
 
 
 class JSONB(JSON):
@@ -1152,8 +1149,11 @@ class User(Base):
     password_hash: Mapped[Optional[bytes]]
     password_salt: Mapped[Optional[bytes]]
     reset_password: Mapped[bool]
-    oauth2_client_id: Mapped[Optional[str]] = mapped_column(index=True, nullable=True)
-    oauth2_user_id: Mapped[Optional[str]] = mapped_column(index=True, nullable=True)
+    oauth2_client_id: Mapped[Optional[str]]
+    oauth2_user_id: Mapped[Optional[str]]
+    auth_method: Mapped[AuthMethod] = mapped_column(
+        CheckConstraint("auth_method IN ('LOCAL', 'OAUTH2')", name="valid_auth_method")
+    )
     created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
     updated_at: Mapped[datetime] = mapped_column(
         UtcTimeStamp, server_default=func.now(), onupdate=func.now()
@@ -1169,41 +1169,21 @@ class User(Base):
     )
     api_keys: Mapped[list["ApiKey"]] = relationship("ApiKey", back_populates="user")
 
-    @hybrid_property
-    def auth_method(self) -> Optional[str]:
-        if self.password_hash is not None:
-            return AuthMethod.LOCAL.value
-        elif self.oauth2_client_id is not None:
-            return AuthMethod.OAUTH2.value
-        return None
-
-    @auth_method.inplace.expression
-    @classmethod
-    def _auth_method_expression(cls) -> ColumnElement[Optional[str]]:
-        return case(
-            (
-                not_(cls.password_hash.is_(None)),
-                AuthMethod.LOCAL.value,
-            ),
-            (
-                not_(cls.oauth2_client_id.is_(None)),
-                AuthMethod.OAUTH2.value,
-            ),
-            else_=None,
-        )
+    __mapper_args__ = {
+        "polymorphic_on": "auth_method",
+        "polymorphic_identity": None,  # Base class is abstract
+    }
 
     __table_args__ = (
         CheckConstraint(
-            "(password_hash IS NULL) = (password_salt IS NULL)",
-            name="password_hash_and_salt",
+            "auth_method != 'LOCAL' "
+            "OR (password_hash IS NOT NULL AND password_salt IS NOT NULL "
+            "AND oauth2_client_id IS NULL AND oauth2_user_id IS NULL)",
+            name="local_auth_has_password_no_oauth",
         ),
         CheckConstraint(
-            "(oauth2_client_id IS NULL) = (oauth2_user_id IS NULL)",
-            name="oauth2_client_id_and_user_id",
-        ),
-        CheckConstraint(
-            "(password_hash IS NULL) != (oauth2_client_id IS NULL)",
-            name="exactly_one_auth_method",
+            "auth_method = 'LOCAL' OR (password_hash IS NULL AND password_salt IS NULL)",
+            name="non_local_auth_has_no_password",
         ),
         UniqueConstraint(
             "oauth2_client_id",
@@ -1213,6 +1193,55 @@ class User(Base):
     )
 
 
+class LocalUser(User):
+    __mapper_args__ = {
+        "polymorphic_identity": "LOCAL",
+    }
+
+    def __init__(
+        self,
+        *,
+        email: str,
+        username: str,
+        password_hash: bytes,
+        password_salt: bytes,
+        reset_password: bool = True,
+        user_role_id: Optional[int] = None,
+    ) -> None:
+        if not password_hash or not password_salt:
+            raise ValueError("password_hash and password_salt are required for LocalUser")
+        super().__init__(
+            email=email.strip(),
+            username=username.strip(),
+            user_role_id=user_role_id,
+            password_hash=password_hash,
+            password_salt=password_salt,
+            reset_password=reset_password,
+            auth_method="LOCAL",
+        )
+
+
+class OAuth2User(User):
+    __mapper_args__ = {
+        "polymorphic_identity": "OAUTH2",
+    }
+
+    def __init__(
+        self,
+        *,
+        email: str,
+        username: str,
+        user_role_id: Optional[int] = None,
+    ) -> None:
+        super().__init__(
+            email=email.strip(),
+            username=username.strip(),
+            user_role_id=user_role_id,
+            reset_password=False,
+            auth_method="OAUTH2",
+        )
+
+
 class PasswordResetToken(Base):
     __tablename__ = "password_reset_tokens"
     user_id: Mapped[int] = mapped_column(

phoenix/server/api/context.py

@@ -4,6 +4,7 @@ from functools import cached_property, partial
 from pathlib import Path
 from typing import Any, Optional, cast
 
+from starlette.datastructures import Secret
 from starlette.requests import Request as StarletteRequest
 from starlette.responses import Response as StarletteResponse
 from strawberry.fastapi import BaseContext
@@ -128,11 +129,11 @@ class Context(BaseContext):
     read_only: bool = False
     locked: bool = False
     auth_enabled: bool = False
-    secret: Optional[str] = None
+    secret: Optional[Secret] = None
     token_store: Optional[TokenStore] = None
     email_sender: Optional[EmailSender] = None
 
-    def get_secret(self) -> str:
+    def get_secret(self) -> Secret:
         """A type-safe way to get the application secret. Throws an error if the secret is not set.
 
         Returns:
@@ -161,7 +162,7 @@ class Context(BaseContext):
             raise ValueError("no response is set")
         return response
 
-    async def is_valid_password(self, password: str, user: models.User) -> bool:
+    async def is_valid_password(self, password: Secret, user: models.User) -> bool:
         return (
             (hash_ := user.password_hash) is not None
             and (salt := user.password_salt) is not None
@@ -169,7 +170,7 @@ class Context(BaseContext):
         )
 
     @staticmethod
-    async def hash_password(password: str, salt: bytes) -> bytes:
+    async def hash_password(password: Secret, salt: bytes) -> bytes:
         compute = partial(compute_password_hash, password=password, salt=salt)
         return await get_running_loop().run_in_executor(None, compute)
 

phoenix/server/api/mutations/user_mutations.py

@@ -9,6 +9,7 @@ from sqlalchemy import Boolean, Select, and_, case, cast, delete, distinct, func
 from sqlalchemy.exc import IntegrityError as PostgreSQLIntegrityError
 from sqlalchemy.orm import joinedload
 from sqlean.dbapi2 import IntegrityError as SQLiteIntegrityError  # type: ignore[import-untyped]
+from starlette.datastructures import Secret
 from strawberry import UNSET
 from strawberry.relay import GlobalID
 from strawberry.types import Info
@@ -23,11 +24,13 @@ from phoenix.auth import (
     validate_email_format,
     validate_password_format,
 )
+from phoenix.config import get_env_disable_basic_auth
 from phoenix.db import enums, models
 from phoenix.server.api.auth import IsAdmin, IsLocked, IsNotReadOnly
 from phoenix.server.api.context import Context
-from phoenix.server.api.exceptions import Conflict, NotFound, Unauthorized
+from phoenix.server.api.exceptions import BadRequest, Conflict, NotFound, Unauthorized
 from phoenix.server.api.input_types.UserRoleInput import UserRoleInput
+from phoenix.server.api.types.AuthMethod import AuthMethod
 from phoenix.server.api.types.node import from_global_id_with_expected_type
 from phoenix.server.api.types.User import User, to_gql_user
 from phoenix.server.bearer_auth import PhoenixUser
@@ -40,9 +43,19 @@ logger = logging.getLogger(__name__)
 class CreateUserInput:
     email: str
     username: str
-    password: str
+    password: Optional[str] = UNSET
     role: UserRoleInput
     send_welcome_email: Optional[bool] = False
+    auth_method: Optional[AuthMethod] = AuthMethod.LOCAL
+
+    def __post_init__(self) -> None:
+        if self.auth_method is AuthMethod.OAUTH2:
+            if self.password:
+                raise BadRequest("Password is not allowed for OAuth2 authentication")
+        elif get_env_disable_basic_auth():
+            raise BadRequest("Basic auth is disabled: OAuth2 authentication only")
+        elif not self.password:
+            raise BadRequest("Password is required for local authentication")
 
 
 @strawberry.input
@@ -53,11 +66,16 @@ class PatchViewerInput:
 
     def __post_init__(self) -> None:
         if not self.new_username and not self.new_password:
-            raise ValueError("At least one field must be set")
-        if self.new_password and not self.current_password:
-            raise ValueError("current_password is required when modifying password")
+            raise BadRequest("At least one field must be set")
         if self.new_password:
-            PASSWORD_REQUIREMENTS.validate(self.new_password)
+            if get_env_disable_basic_auth():
+                raise BadRequest("Basic auth is disabled: OAuth2 authentication only")
+            if not self.current_password:
+                raise BadRequest("current_password is required when modifying password")
+            try:
+                PASSWORD_REQUIREMENTS.validate(self.new_password)
+            except ValueError as e:
+                raise BadRequest(str(e))
 
 
 @strawberry.input
@@ -69,9 +87,14 @@ class PatchUserInput:
 
     def __post_init__(self) -> None:
         if not self.new_role and not self.new_username and not self.new_password:
-            raise ValueError("At least one field must be set")
+            raise BadRequest("At least one field must be set")
         if self.new_password:
-            PASSWORD_REQUIREMENTS.validate(self.new_password)
+            if get_env_disable_basic_auth():
+                raise BadRequest("Basic auth is disabled: OAuth2 authentication only")
+            try:
+                PASSWORD_REQUIREMENTS.validate(self.new_password)
+            except ValueError as e:
+                raise BadRequest(str(e))
 
 
 @strawberry.input
@@ -92,17 +115,24 @@ class UserMutationMixin:
         info: Info[Context, None],
         input: CreateUserInput,
     ) -> UserMutationPayload:
-        validate_email_format(email := input.email)
-        validate_password_format(password := input.password)
-        salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
-        password_hash = await info.context.hash_password(password, salt)
-        user = models.User(
-            reset_password=True,
-            username=input.username,
-            email=email,
-            password_hash=password_hash,
-            password_salt=salt,
-        )
+        user: models.User
+        if input.auth_method is AuthMethod.OAUTH2:
+            user = models.OAuth2User(
+                email=input.email,
+                username=input.username,
+            )
+        else:
+            assert input.password
+            validate_email_format(input.email)
+            validate_password_format(input.password)
+            salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
+            password_hash = await info.context.hash_password(Secret(input.password), salt)
+            user = models.LocalUser(
+                email=input.email,
+                username=input.username,
+                password_hash=password_hash,
+                password_salt=salt,
+            )
         async with AsyncExitStack() as stack:
             session = await stack.enter_async_context(info.context.db())
             user_role_id = await session.scalar(_select_role_id_by_name(input.role.value))
@@ -150,11 +180,12 @@ class UserMutationMixin:
                     raise NotFound(f"Role {input.new_role.value} not found")
                 user.user_role_id = user_role_id
             if password := input.new_password:
-                if user.auth_method != enums.AuthMethod.LOCAL.value:
+                if user.auth_method != "LOCAL":
                     raise Conflict("Cannot modify password for non-local user")
                 validate_password_format(password)
-                user.password_salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
-                user.password_hash = await info.context.hash_password(password, user.password_salt)
+                salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
+                user.password_salt = salt
+                user.password_hash = await info.context.hash_password(Secret(password), salt)
                 user.reset_password = True
             if username := input.new_username:
                 user.username = username
@@ -183,15 +214,16 @@ class UserMutationMixin:
                 raise NotFound("User not found")
             stack.enter_context(session.no_autoflush)
             if password := input.new_password:
-                if user.auth_method != enums.AuthMethod.LOCAL.value:
+                if user.auth_method != "LOCAL":
                     raise Conflict("Cannot modify password for non-local user")
                 if not (
                     current_password := input.current_password
-                ) or not await info.context.is_valid_password(current_password, user):
+                ) or not await info.context.is_valid_password(Secret(current_password), user):
                     raise Conflict("Valid current password is required to modify password")
                 validate_password_format(password)
-                user.password_salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
-                user.password_hash = await info.context.hash_password(password, user.password_salt)
+                salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
+                user.password_salt = salt
+                user.password_hash = await info.context.hash_password(Secret(password), salt)
                 user.reset_password = False
             if username := input.new_username:
                 user.username = username

phoenix/server/api/routers/auth.py

@@ -11,6 +11,7 @@ from sqlalchemy.orm import joinedload
 from starlette.status import (
     HTTP_204_NO_CONTENT,
     HTTP_401_UNAUTHORIZED,
+    HTTP_403_FORBIDDEN,
     HTTP_404_NOT_FOUND,
     HTTP_422_UNPROCESSABLE_ENTITY,
     HTTP_503_SERVICE_UNAVAILABLE,
@@ -31,8 +32,13 @@ from phoenix.auth import (
     set_refresh_token_cookie,
     validate_password_format,
 )
-from phoenix.config import get_base_url, get_env_disable_rate_limit, get_env_host_root_path
-from phoenix.db import enums, models
+from phoenix.config import (
+    get_base_url,
+    get_env_disable_basic_auth,
+    get_env_disable_rate_limit,
+    get_env_host_root_path,
+)
+from phoenix.db import models
 from phoenix.server.bearer_auth import PhoenixUser, create_access_and_refresh_tokens
 from phoenix.server.email.types import EmailSender
 from phoenix.server.rate_limiters import ServerRateLimiter, fastapi_ip_rate_limiter
@@ -68,6 +74,8 @@ router = APIRouter(prefix="/auth", include_in_schema=False, dependencies=auth_de
 
 @router.post("/login")
 async def login(request: Request) -> Response:
+    if get_env_disable_basic_auth():
+        raise HTTPException(status_code=HTTP_403_FORBIDDEN)
     assert isinstance(access_token_expiry := request.app.state.access_token_expiry, timedelta)
     assert isinstance(refresh_token_expiry := request.app.state.refresh_token_expiry, timedelta)
     token_store: TokenStore = request.app.state.get_token_store()
@@ -192,6 +200,8 @@ async def refresh_tokens(request: Request) -> Response:
 
 @router.post("/password-reset-email")
 async def initiate_password_reset(request: Request) -> Response:
+    if get_env_disable_basic_auth():
+        raise HTTPException(status_code=HTTP_403_FORBIDDEN)
     data = await request.json()
     if not (email := data.get("email")):
         raise MISSING_EMAIL
@@ -207,7 +217,7 @@ async def initiate_password_reset(request: Request) -> Response:
                 joinedload(models.User.password_reset_token).load_only(models.PasswordResetToken.id)
             )
         )
-    if user is None or user.auth_method != enums.AuthMethod.LOCAL.value:
+    if user is None or user.auth_method != "LOCAL":
         # Withold privileged information
         return Response(status_code=HTTP_204_NO_CONTENT)
     token_store: TokenStore = request.app.state.get_token_store()
@@ -230,6 +240,8 @@ async def initiate_password_reset(request: Request) -> Response:
 
 @router.post("/password-reset")
 async def reset_password(request: Request) -> Response:
+    if get_env_disable_basic_auth():
+        raise HTTPException(status_code=HTTP_403_FORBIDDEN)
     data = await request.json()
     if not (password := data.get("password")):
         raise MISSING_PASSWORD
@@ -244,7 +256,7 @@ async def reset_password(request: Request) -> Response:
     assert (user_id := claims.subject)
     async with request.app.state.db() as session:
         user = await session.scalar(select(models.User).filter_by(id=int(user_id)))
-    if user is None or user.auth_method != enums.AuthMethod.LOCAL.value:
+    if user is None or user.auth_method != "LOCAL":
         # Withold privileged information
         return Response(status_code=HTTP_204_NO_CONTENT)
     validate_password_format(password)