From f50ec538db2ad9bb5f8c5130bc781d5cc5a00007 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Fri, 23 Jan 2026 19:19:56 -0300
Subject: [PATCH] firefly: check password by username fallback

---
 ariadne/services/firefly.py | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/ariadne/services/firefly.py b/ariadne/services/firefly.py
index 7e461a2..5874824 100644
--- a/ariadne/services/firefly.py
+++ b/ariadne/services/firefly.py
@@ -190,10 +190,11 @@ _FIREFLY_PASSWORD_CHECK_SCRIPT = textwrap.dedent(
     }
 
     $email = trim((string) getenv('FIREFLY_USER_EMAIL'));
+    $username = trim((string) getenv('FIREFLY_USER_USERNAME'));
     $password = (string) getenv('FIREFLY_USER_PASSWORD');
 
-    if ($email === '' || $password === '') {
-        error_line('missing FIREFLY_USER_EMAIL or FIREFLY_USER_PASSWORD');
+    if (($email === '' && $username === '') || $password === '') {
+        error_line('missing FIREFLY_USER_EMAIL or FIREFLY_USER_USERNAME or FIREFLY_USER_PASSWORD');
         exit(2);
     }
 
@@ -223,7 +224,17 @@ _FIREFLY_PASSWORD_CHECK_SCRIPT = textwrap.dedent(
         error_line('failed to enforce single_user_mode: ' . $exc->getMessage());
     }
 
-    $existing_user = User::where('email', $email)->first();
+    if ($email !== '') {
+        $query = User::where('email', $email);
+    } else {
+        $query = User::where('username', $username);
+    }
+
+    if ($email !== '' && $username !== '') {
+        $query = $query->orWhere('username', $username);
+    }
+
+    $existing_user = $query->first();
     if (!$existing_user) {
         error_line('firefly user missing');
         exit(3);
@@ -537,10 +548,12 @@ class FireflyService:
         output = (result.stdout or result.stderr).strip()
         return {"status": "ok", "detail": output}
 
-    def check_password(self, email: str, password: str) -> dict[str, Any]:
+    def check_password(self, email: str, password: str, username: str = "") -> dict[str, Any]:
         email = (email or "").strip()
+        username = (username or "").strip()
         if not email:
-            raise RuntimeError("missing email")
+            if not username:
+                raise RuntimeError("missing email")
         if not password:
             raise RuntimeError("missing password")
         if not settings.firefly_namespace:
@@ -548,6 +561,7 @@ class FireflyService:
 
         env = {
             "FIREFLY_USER_EMAIL": email,
+            "FIREFLY_USER_USERNAME": username,
             "FIREFLY_USER_PASSWORD": password,
         }
 
@@ -573,7 +587,7 @@ class FireflyService:
     def _rotation_outcome(self, prepared: FireflySyncInput) -> UserSyncOutcome:
         if prepared.rotated_at:
             return UserSyncOutcome("skipped")
-        check = self.check_password(prepared.mailu_email, prepared.password)
+        check = self.check_password(prepared.mailu_email, prepared.password, prepared.username)
         status = check.get("status") if isinstance(check, dict) else "error"
         if status == "match":
             return UserSyncOutcome("skipped")