regstack 0.5.9__tar.gz → 0.6.0__tar.gz

{regstack-0.5.9 → regstack-0.6.0}/.github/workflows/publish.yml

@@ -4,6 +4,11 @@ name: publish
 # Configure the PyPI project (https://pypi.org/manage/account/publishing/)
 # with the publisher: this repository, environment name `pypi`, workflow
 # `publish.yml`. No PyPI tokens live in GitHub Actions secrets.
+#
+# Third-party actions are pinned to commit SHAs (not mutable tags) so a
+# tag swap upstream can't substitute a malicious version. Update by
+# resolving the latest SHA for the version you want and bumping the
+# trailing `# vN` comment to match.
 
 on:
   push:
@@ -11,15 +16,22 @@ on:
       - "v*"
   workflow_dispatch:
 
+# Workflow-level default. Individual jobs override where they need
+# extra scopes (the `publish` job adds `id-token: write` for OIDC).
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           fetch-depth: 0
 
-      - uses: astral-sh/setup-uv@v3
+      - uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39  # v3
         with:
           enable-cache: true
 
@@ -42,7 +54,7 @@ jobs:
       - name: Build sdist + wheel
         run: uv build
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: dist
           path: dist/
@@ -55,9 +67,10 @@ jobs:
       name: pypi
       url: https://pypi.org/p/regstack
     permissions:
-      id-token: write   # OIDC trusted-publisher
+      id-token: write   # OIDC trusted-publisher exchange
+      contents: read
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4
         with:
           name: dist
           path: dist/

{regstack-0.5.9 → regstack-0.6.0}/.github/workflows/test.yml

@@ -10,9 +10,19 @@ concurrency:
   group: test-${{ github.ref }}
   cancel-in-progress: true
 
+# Workflow-level default — every job in this workflow gets read-only
+# permissions unless it overrides explicitly. Third-party actions are
+# pinned to commit SHAs so a tag swap upstream can't substitute a
+# malicious version; update by resolving the latest SHA for the
+# version you want and bumping the trailing `# vN` comment.
+permissions:
+  contents: read
+
 jobs:
   pytest:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -47,9 +57,9 @@ jobs:
       # Connect as superuser so the per-test fixture can CREATE/DROP DATABASE.
       REGSTACK_TEST_POSTGRES_URL: postgresql+asyncpg://regstack:regstack@localhost:5432
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
-      - uses: astral-sh/setup-uv@v3
+      - uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39  # v3
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
@@ -71,16 +81,18 @@ jobs:
 
   docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39  # v3
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
       - run: uv python pin 3.11
       - run: uv sync --extra docs --extra dev
       - run: uv run sphinx-build -b html -W --keep-going docs docs/_build/html
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: docs-html
           path: docs/_build/html
@@ -93,9 +105,11 @@ jobs:
     # equivalent in-process via meta_path blocking; this job verifies the
     # actual built wheel installs and imports against a clean Python.
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39  # v3
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"

{regstack-0.5.9 → regstack-0.6.0}/.gitignore

@@ -32,3 +32,15 @@ docs/_autosummary/
 /regstack-bootstrap.json
 **/regstack.secrets.env
 **/regstack-bootstrap.json
+
+# Defensive: keep credential material out of any commit, even from a
+# misconfigured local dev env. None of these are checked in today, but
+# the .env / *.pem / etc. patterns are recurring audit recommendations.
+.env
+.env.*
+*.pem
+*.key
+*.p12
+*.pfx
+*.jks
+*.crt

{regstack-0.5.9 → regstack-0.6.0}/CHANGELOG.md

@@ -5,6 +5,95 @@ authoritative copy lives at
 [`docs/changelog.md`](docs/changelog.md) and is rendered into the
 Sphinx docs.
 
+## 0.6.0 — 2026-05-14
+
+**Breaking change for wizard users.** The GUI setup wizards
+(`regstack oauth setup`, `regstack theme design`) are now behind a
+new optional `wizard` extra. `pip install regstack` no longer pulls
+in `pywebview`, `tomlkit`, or `uvicorn[standard]` — three heavy
+wizard-only dependencies that every library consumer was paying for,
+including a platform browser engine on every fresh install. A
+recurring audit recommendation since 0.5.0.
+
+**Migration.**
+
+- If you only embed regstack in a FastAPI app (no `regstack oauth
+  setup` or `regstack theme design`): no action needed. The base
+  install is now significantly slimmer.
+- If you use either setup wizard: install the new extra —
+  `pip install 'regstack[wizard]'` or `uv sync --extra wizard`.
+  Running a wizard subcommand without the extra now exits with a
+  one-line install hint (no ImportError traceback).
+- The `dev` extra continues to pull in the wizard deps directly so
+  `inv test-all` keeps working without an explicit `--extra wizard`.
+
+Bumped to **0.6.0** (not 0.5.12) because removing top-level deps is
+the kind of change that can surprise downstream `pip install
+regstack` callers — even though "the GUI wizard CLIs need an extra
+now" is the only observable effect.
+
+## 0.5.11 — 2026-05-14
+
+CI / workflow hygiene. No runtime code changes.
+
+- **All third-party GitHub Actions pinned to commit SHAs.**
+  `actions/checkout@v4`, `astral-sh/setup-uv@v3`,
+  `actions/upload-artifact@v4`, and `actions/download-artifact@v4` now
+  use commit SHAs in `.github/workflows/publish.yml` and
+  `.github/workflows/test.yml`, with `# v4` / `# v3` trailing comments
+  so future operators can resolve and bump. `pypa/gh-action-pypi-publish`
+  was already SHA-pinned (#37). A tag swap upstream can no longer
+  substitute a malicious version.
+- **`permissions:` blocks added to every workflow + job.** Both
+  workflows now declare a `permissions: contents: read` default at
+  the workflow level and re-state it per job (so a future addition of
+  a write-needing action doesn't silently inherit elevated scopes).
+  The `publish` job continues to declare `id-token: write` (OIDC
+  trusted-publisher exchange) — that's the only scope above
+  read-only anywhere in the workflows.
+- **`.gitignore` defensive additions.** `.env`, `.env.*`, and the
+  common credential-file patterns (`*.pem`, `*.key`, `*.p12`,
+  `*.pfx`, `*.jks`, `*.crt`) are now ignored at the repo root. None
+  are present today; this is belt-and-braces for misconfigured local
+  dev environments. A recurring audit recommendation.
+
+## 0.5.10 — 2026-05-14
+
+Security fixes from the 2026-05-13 / 2026-05-14 daily reviews. All
+warnings, no criticals — but several are real exploitable issues.
+
+**Security.**
+
+- **Open-redirect bypass in OAuth `redirect_to`.** `_validate_redirect`
+  was forwarding `urlsplit`'s judgment, but browsers normalize values
+  like `/\evil.com` and `////evil.com` into the protocol-relative
+  `//evil.com` — both of which `urlsplit` reports as same-origin
+  paths. The validator now rejects any backslash plus any value that
+  doesn't start with a single `/` followed by a non-slash character.
+- **CVE-2025-62727 — `fastapi` floor raised to `>=0.120.0`.** Starlette
+  DoS via large request bodies after multipart processing.
+- **CVE-2025-27516 — `jinja2` floor raised to `>=3.1.6`.** Sandbox
+  breakout via the `|attr` filter (only relevant if hosts allow
+  user-controlled templates; tightening the floor regardless).
+- **Login lockout no longer skips disabled / unverified accounts.**
+  `POST /login` now records a failure before raising HTTP 403 for
+  `is_active=False` and (when `require_verification=True`)
+  `is_verified=False` users. Password verification was also re-ordered
+  to run **before** those checks, so an attacker without the password
+  can't distinguish disabled vs active accounts by HTTP code alone.
+- **`POST /change-email` no longer enumerates registered addresses.**
+  An authenticated attacker could previously iterate the email
+  namespace via the 409 vs 202 response distinction. The endpoint now
+  always returns 202; if the candidate is already registered, no
+  confirmation email is sent (the legitimate user finds out by not
+  receiving it). Matches the existing anti-enumeration stance on
+  `/forgot-password` and `/resend-verification`.
+- **Admin resend-verification rejects OAuth-only users.** Previously
+  attempted to construct a `PendingRegistration` from a user with
+  `hashed_password=None`, which either failed validation or stored
+  the literal string `"None"` in the pending row. Now returns 400
+  with a clear message.
+
 ## 0.5.9 — 2026-05-13
 
 **`OAuthConfig.enforce_mfa_on_oauth_signin` is now wired.** The flag

{regstack-0.5.9 → regstack-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: regstack
-Version: 0.5.9
+Version: 0.6.0
 Summary: Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB.
 Project-URL: Homepage, https://github.com/jdrumgoole/regstack
 Project-URL: Repository, https://github.com/jdrumgoole/regstack
@@ -22,17 +22,14 @@ Requires-Dist: alembic>=1.13
 Requires-Dist: click>=8.1
 Requires-Dist: dnspython>=2.6
 Requires-Dist: email-validator>=2.1
-Requires-Dist: fastapi>=0.110
-Requires-Dist: jinja2>=3.1
+Requires-Dist: fastapi>=0.120.0
+Requires-Dist: jinja2>=3.1.6
 Requires-Dist: pwdlib[argon2]>=0.2.1
 Requires-Dist: pydantic-settings>=2.2
 Requires-Dist: pydantic>=2.6
 Requires-Dist: pyjwt>=2.12.1
 Requires-Dist: python-multipart>=0.0.26
-Requires-Dist: pywebview>=5.0
 Requires-Dist: sqlalchemy[asyncio]>=2.0
-Requires-Dist: tomlkit>=0.13
-Requires-Dist: uvicorn[standard]>=0.29
 Provides-Extra: dev
 Requires-Dist: anyio>=4.3; extra == 'dev'
 Requires-Dist: asyncpg>=0.29; extra == 'dev'
@@ -47,8 +44,10 @@ Requires-Dist: pytest-cov>=5.0; extra == 'dev'
 Requires-Dist: pytest-playwright>=0.5; extra == 'dev'
 Requires-Dist: pytest-xdist>=3.5; extra == 'dev'
 Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: pywebview>=5.0; extra == 'dev'
 Requires-Dist: ruff>=0.4; extra == 'dev'
 Requires-Dist: slowapi>=0.1.9; extra == 'dev'
+Requires-Dist: tomlkit>=0.13; extra == 'dev'
 Requires-Dist: uvicorn[standard]>=0.29; extra == 'dev'
 Provides-Extra: docs
 Requires-Dist: furo>=2024.1; extra == 'docs'
@@ -72,6 +71,10 @@ Provides-Extra: sns
 Requires-Dist: aioboto3>=12.3; extra == 'sns'
 Provides-Extra: twilio
 Requires-Dist: twilio>=9.0; extra == 'twilio'
+Provides-Extra: wizard
+Requires-Dist: pywebview>=5.0; extra == 'wizard'
+Requires-Dist: tomlkit>=0.13; extra == 'wizard'
+Requires-Dist: uvicorn[standard]>=0.29; extra == 'wizard'
 Description-Content-Type: text/markdown
 
 # regstack

{regstack-0.5.9 → regstack-0.6.0}/docs/changelog.md

@@ -3,6 +3,102 @@
 All notable changes to this project are documented here. Versions follow
 [Semantic Versioning](https://semver.org/) once `1.0.0` ships.
 
+## 0.6.0 — 2026-05-14
+
+### Changed (BREAKING — wizard install)
+
+- **GUI setup wizards now require the optional `wizard` extra.**
+  `regstack oauth setup` and `regstack theme design` previously
+  worked from a bare `pip install regstack` because their deps —
+  `pywebview`, `tomlkit`, and `uvicorn[standard]` — were in the base
+  dependency list. That meant every library consumer (including pure
+  FastAPI host apps that never run a setup wizard) was paying for a
+  platform browser engine and an ASGI server at install time.
+  Those three packages now live in a new `wizard` extra; the base
+  install is significantly slimmer.
+
+  **Migration.**
+
+  - If you embed regstack but don't use the setup wizards: no
+    action needed. `import regstack`, `RegStack(...)`, and the
+    `regstack init` / `regstack doctor` / `regstack migrate` /
+    `regstack create-admin` CLIs all work on the bare install.
+  - If you use either setup wizard:
+    `pip install 'regstack[wizard]'` or
+    `uv sync --extra wizard`.
+  - The `dev` extra continues to pull in the wizard deps directly,
+    so `inv test-all` keeps working without an explicit `--extra
+    wizard`.
+
+  Running a wizard subcommand without the extra installed now
+  exits with a one-line install hint and a non-zero exit code,
+  rather than an `ImportError` traceback from deep inside the
+  wizard subtree.
+
+  Bumped to **0.6.0** rather than 0.5.12 because removing top-level
+  dependencies can surprise downstream callers; the version line
+  signals it's worth a glance at the migration note.
+
+## 0.5.11 — 2026-05-14
+
+CI / workflow hygiene. No runtime code changes.
+
+### Security
+
+- **All third-party GitHub Actions pinned to commit SHAs.**
+  `actions/checkout@v4`, `astral-sh/setup-uv@v3`,
+  `actions/upload-artifact@v4`, and `actions/download-artifact@v4`
+  now use commit SHAs across both workflows (`pypa/gh-action-pypi-publish`
+  was already SHA-pinned in 0.5.6). Tag swaps upstream can no longer
+  substitute a malicious version.
+- **`permissions:` blocks declared on every workflow + job.** Both
+  workflows declare a `permissions: contents: read` default at the
+  workflow level and re-state it per job. The `publish` job
+  continues to add `id-token: write` for the OIDC trusted-publisher
+  exchange — that's the only scope above read-only anywhere in
+  the workflows.
+
+### Internal
+
+- `.gitignore` gained `.env`, `.env.*`, and the common credential-file
+  patterns (`*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks`, `*.crt`).
+  Belt-and-braces for misconfigured local dev envs; nothing tracked
+  today depends on these.
+
+## 0.5.10 — 2026-05-14
+
+Security fixes from the 2026-05-13 / 2026-05-14 daily review reports.
+
+### Security
+
+- **Open-redirect bypass in OAuth `redirect_to`.** `_validate_redirect`
+  was forwarding `urlsplit`'s judgment, but browsers normalize values
+  like `/\evil.com` and `////evil.com` into the protocol-relative
+  `//evil.com`. Both forms now rejected.
+- **CVE-2025-62727 — `fastapi>=0.120.0`** (was `>=0.110`). Starlette
+  DoS via large request bodies after multipart processing.
+- **CVE-2025-27516 — `jinja2>=3.1.6`** (was `>=3.1`). Sandbox breakout
+  via the `|attr` filter.
+- **Login lockout coverage extended.** `POST /login` was returning
+  HTTP 403 for `is_active=False` and (when `require_verification=True`)
+  unverified accounts **without** recording a failure — an attacker
+  guessing passwords against either category had unbounded probing.
+  The endpoint now:
+  - Verifies the password **before** the active/verified checks (so
+    an unauthenticated attacker can't distinguish disabled vs active
+    accounts by HTTP code).
+  - Records a failure before raising 403 in either branch.
+- **`POST /change-email` anti-enumeration.** An authenticated
+  attacker could walk the registered-email namespace via the 409 vs
+  202 distinction. The endpoint now always returns 202; clashes are
+  logged server-side and the confirmation email is silently skipped.
+  Matches the existing stance on `/forgot-password` and
+  `/resend-verification`.
+- **Admin resend-verification rejects OAuth-only users** with a clear
+  400 instead of attempting to construct a `PendingRegistration` with
+  `hashed_password=None` (which corrupted the pending-registrations
+  row).
+
 ## 0.5.9 — 2026-05-13
 
 ### Security

{regstack-0.5.9 → regstack-0.6.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "regstack"
-version = "0.5.9"
+version = "0.6.0"
 description = "Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -17,13 +17,18 @@ classifiers = [
     "Topic :: Software Development :: Libraries :: Python Modules",
 ]
 dependencies = [
-    "fastapi>=0.110",
+    # fastapi>=0.120.0 picks up CVE-2025-62727 (Starlette DoS via large
+    # request bodies after multipart processing).
+    "fastapi>=0.120.0",
     "pydantic>=2.6",
     "pydantic-settings>=2.2",
     "pwdlib[argon2]>=0.2.1",
     # pyjwt>=2.12.1 includes the fix for CVE-2026-32597 (`crit` header bypass).
     "pyjwt>=2.12.1",
-    "jinja2>=3.1",
+    # jinja2>=3.1.6 picks up CVE-2025-27516 (sandbox breakout via the
+    # `|attr` filter; only relevant if hosts allow user-controlled
+    # templates, but we tighten the floor anyway).
+    "jinja2>=3.1.6",
     "click>=8.1",
     "dnspython>=2.6",
     # python-multipart>=0.0.26 picks up CVE-2026-40347 (DoS via oversized
@@ -35,11 +40,6 @@ dependencies = [
     "sqlalchemy[asyncio]>=2.0",
     "aiosqlite>=0.20",
     "alembic>=1.13",
-    # OAuth setup wizard (regstack oauth setup) — needs a webview shell,
-    # a small in-process FastAPI server, and round-trip-safe TOML editing.
-    "pywebview>=5.0",
-    "tomlkit>=0.13",
-    "uvicorn[standard]>=0.29",
 ]
 
 [project.optional-dependencies]
@@ -51,6 +51,16 @@ twilio = ["twilio>=9.0"]
 # cryptography>=46.0.7 picks up CVE-2026-26007 (ECC subgroup attack on the
 # JWKS code path) plus CVE-2026-34073 and CVE-2026-39892.
 oauth = ["pyjwt[crypto]>=2.12.1", "cryptography>=46.0.7"]
+# Interactive setup wizards (`regstack oauth setup`, `regstack theme
+# design`). These open a native pywebview window over a local 127.0.0.1
+# FastAPI server and use tomlkit for non-destructive TOML merging.
+# Optional because library consumers who never run the GUI tools don't
+# need a platform browser engine pulled in by pywebview.
+wizard = [
+    "pywebview>=5.0",
+    "tomlkit>=0.13",
+    "uvicorn[standard]>=0.29",
+]
 # Per-route rate limiting on the auth router. The limiter itself can be
 # host-supplied (so hosts that already use slowapi share the same Limiter
 # state), otherwise regstack constructs an in-memory one.
@@ -86,6 +96,10 @@ dev = [
     "pytest-playwright>=0.5",
     # Rate-limit tests exercise the slowapi integration.
     "slowapi>=0.1.9",
+    # Wizard surface (now an optional `wizard` extra) — tests exercise
+    # the setup/theme-designer routes, writers, and Playwright e2e.
+    "pywebview>=5.0",
+    "tomlkit>=0.13",
 ]
 
 [project.scripts]

{regstack-0.5.9 → regstack-0.6.0}/src/regstack/cli/__main__.py

@@ -8,13 +8,39 @@ from regstack.cli.init import init as init_cmd
 from regstack.cli.migrate import migrate as migrate_cmd
 from regstack.version import __version__
 
+_WIZARD_EXTRA_HINT = (
+    "The {subcommand} command requires the optional 'wizard' extra "
+    "(pywebview + tomlkit + uvicorn). Install with "
+    "`pip install regstack[wizard]` or `uv sync --extra wizard`."
+)
+
+
+def _missing_wizard_extra(subcommand: str) -> click.Command:
+    """Click command that prints a clear install hint and exits non-zero.
+
+    Used as the fallback when a wizard subcommand is invoked but the
+    ``wizard`` extra isn't installed — gives a one-line actionable
+    message instead of an ImportError traceback from deep inside the
+    wizard package.
+    """
+    name = subcommand.split()[-1]
+
+    @click.command(name=name, help="(needs `regstack[wizard]`)")
+    def _stub() -> None:
+        click.echo(_WIZARD_EXTRA_HINT.format(subcommand=f"`{subcommand}`"), err=True)
+        raise SystemExit(2)
+
+    return _stub
+
 
 class _LazyOauthGroup(click.Group):
     """Defer wizard imports until ``regstack oauth …`` is actually run.
 
-    Importing the wizard pulls in pywebview, uvicorn, and tomlkit. We
-    don't want to pay that on every ``regstack init`` / ``regstack doctor``
-    invocation. Click's :meth:`Group.get_command` is the seam.
+    Importing the wizard pulls in pywebview, uvicorn, and tomlkit (the
+    ``wizard`` optional extra). Hosts who don't use the GUI tools
+    don't pay for those deps at install time; the cost is that
+    running a wizard subcommand without the extra exits with a clear
+    install hint instead of an ImportError.
     """
 
     def list_commands(self, ctx: click.Context) -> list[str]:
@@ -23,8 +49,10 @@ class _LazyOauthGroup(click.Group):
     def get_command(self, ctx: click.Context, name: str) -> click.Command | None:
         if name != "setup":
             return None
-        from regstack.wizard.oauth_google.cli import setup as setup_cmd
-
+        try:
+            from regstack.wizard.oauth_google.cli import setup as setup_cmd
+        except ImportError:
+            return _missing_wizard_extra("regstack oauth setup")
         return setup_cmd
 
 
@@ -37,8 +65,10 @@ class _LazyThemeGroup(click.Group):
     def get_command(self, ctx: click.Context, name: str) -> click.Command | None:
         if name != "design":
             return None
-        from regstack.wizard.theme_designer.cli import design as design_cmd
-
+        try:
+            from regstack.wizard.theme_designer.cli import design as design_cmd
+        except ImportError:
+            return _missing_wizard_extra("regstack theme design")
         return design_cmd
 
 

{regstack-0.5.9 → regstack-0.6.0}/src/regstack/routers/account.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import logging
 from typing import TYPE_CHECKING, Annotated, Any
 
 import jwt as pyjwt
@@ -20,6 +21,8 @@ if TYPE_CHECKING:
 _EMAIL_CHANGE_PURPOSE = "email_change"
 _NEW_EMAIL_CLAIM = "new_email"
 
+log = logging.getLogger("regstack.account")
+
 
 class ChangePasswordRequest(BaseModel):
     model_config = ConfigDict(extra="forbid")
@@ -124,12 +127,24 @@ def build_account_router(rs: RegStack) -> APIRouter:
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail="Current password is incorrect.",
             )
+
+        # Anti-enumeration: an authenticated attacker could otherwise
+        # walk the registered-email namespace by alternating 409 vs 202
+        # responses on this endpoint. Always return 202; if the address
+        # is already taken, log and skip the email send. The legitimate
+        # user finds out by not receiving the confirmation mail; the
+        # final uniqueness check still happens at /confirm-email-change
+        # via the users.update_email unique constraint.
         clash = await rs.users.get_by_email(payload.new_email)
+        accepted = MessageResponse(
+            message="If that email address is not already in use, a confirmation link has been sent.",
+        )
         if clash is not None:
-            raise HTTPException(
-                status_code=status.HTTP_409_CONFLICT,
-                detail="That email address is already in use.",
+            log.info(
+                "change-email blocked by clash (anti-enumeration): user_id=%s",
+                user.id,
             )
+            return accepted
 
         assert user.id is not None
         ttl = rs.config.email_change_token_ttl_seconds
@@ -148,9 +163,7 @@ def build_account_router(rs: RegStack) -> APIRouter:
             new_email=payload.new_email,
             url=url,
         )
-        return MessageResponse(
-            message="A confirmation link has been sent to the new email address."
-        )
+        return accepted
 
     @router.post(
         "/confirm-email-change",

{regstack-0.5.9 → regstack-0.6.0}/src/regstack/routers/admin.py

@@ -154,6 +154,21 @@ def build_admin_router(rs: RegStack) -> APIRouter:
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail="User is already verified.",
             )
+        # OAuth-only users (no password) shouldn't be unverified — their
+        # OAuth identity was the verification. If somehow one ended up
+        # unverified, the password-bearing verification flow can't help:
+        # PendingRegistration requires a `hashed_password: str` and
+        # would store the literal string "None" (or fail validation,
+        # depending on the pydantic config). Surface this clearly
+        # instead of silently corrupting the pending-registrations row.
+        if user.hashed_password is None:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=(
+                    "User has no password (OAuth-only). Verify them directly "
+                    "via the user record instead of resending verification email."
+                ),
+            )
 
         # Move the user to a pending registration row so the standard verify
         # endpoint completes the flow. Less special-case code, one path.

{regstack-0.5.9 → regstack-0.6.0}/src/regstack/routers/login.py

@@ -70,11 +70,11 @@ def build_login_router(rs: RegStack) -> APIRouter:
         if user is None or user.id is None:
             await rs.lockout.record_failure(payload.email)
             raise _INVALID
-        if not user.is_active:
-            raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail="Account is disabled.",
-            )
+        # Password verification runs first so the is_active and
+        # is_verified branches below are only reachable by an attacker
+        # who already knows the password. Without this ordering, an
+        # unauthenticated probe could distinguish disabled / unverified
+        # / non-existent accounts by HTTP code alone.
         # An OAuth-only user (hashed_password=None) returns the same
         # generic 401 as a wrong-password attempt — never reveal that
         # the account exists but has no password set, so an attacker
@@ -84,7 +84,19 @@ def build_login_router(rs: RegStack) -> APIRouter:
         ):
             await rs.lockout.record_failure(payload.email)
             raise _INVALID
+        # Even with the right password, disabled / unverified accounts
+        # must still increment the lockout counter — otherwise a
+        # password-stuffing attacker who happens to be holding the
+        # correct credentials for a disabled account gets unbounded
+        # probing.
+        if not user.is_active:
+            await rs.lockout.record_failure(payload.email)
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Account is disabled.",
+            )
         if rs.config.require_verification and not user.is_verified:
+            await rs.lockout.record_failure(payload.email)
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Email address has not been verified.",