@@ -170,8 +170,8 @@ func (s *authService) InitiatePasswordSetup(
170170 }
171171
172172 // Check if credentials already exist (user already has a password)
173- _ , err = s .credentialsStorage .GetCredentials (ctx , email )
174- if err == nil {
173+ credentials , err : =s .credentialsStorage .GetCredentials (ctx , email )
174+ if err == nil && credentials . PasswordHash != "" {
175175 // Password already exists, don't reveal this for security
176176 s .logger .Warn ("Password setup attempted for account with existing password" , zap .String ("email" , email ))
177177 return & authproto.InitiatePasswordSetupResponse {
@@ -304,8 +304,8 @@ func (s *authService) SetupPassword(
304304 }
305305
306306 // Check if credentials already exist (prevent double setup)
307- _ , err = s .credentialsStorage .GetCredentials (ctx , setupToken .Email )
308- if err == nil {
307+ credentials , err : =s .credentialsStorage .GetCredentials (ctx , setupToken .Email )
308+ if err == nil && credentials . PasswordHash != "" {
309309 s .logger .Error ("Setup attempted for account with existing password" , zap .String ("email" , setupToken .Email ))
310310 dt , err := auth .StatusPasswordAlreadyExists .WithDetails (& errdetails.LocalizedMessage {
311311 Locale : localizer .GetLocale (),
@@ -397,8 +397,8 @@ func (s *authService) ValidatePasswordSetupToken(
397397 email := ""
398398 if isValid {
399399 // Additional validation: check if account still needs password setup
400- _ , err := s .credentialsStorage .GetCredentials (ctx , setupToken .Email )
401- if err == nil {
400+ credentials , err := s .credentialsStorage .GetCredentials (ctx , setupToken .Email )
401+ if err == nil && credentials . PasswordHash != "" {
402402 // Credentials already exist, token is no longer valid for setup
403403 isValid = false
404404 } else if ! errors .Is (err , storage .ErrCredentialsNotFound ) {
0 commit comments