Add a new column to distinguish local from external users

modules/backend/src/main/scala/docspell/backend/auth/Login.scala

@@ -194,7 +194,7 @@ object Login {
               logF.info(s"Account lookup via remember me: $data")
             )
             res <- OptionT.liftF(
-              if (checkNoPassword(data))
+              if (checkNoPassword(data, AccountSource.all.toList.toSet))
                 logF.info("RememberMe auth successful") *> okResult(data.account)
               else
                 logF.warn("RememberMe auth not successful") *> Result.invalidAuth.pure[F]
@@ -260,13 +260,17 @@ object Login {
 
       private def check(given: String)(data: QLogin.Data): Boolean = {
         val passOk = BCrypt.checkpw(given, data.password.pass)
-        checkNoPassword(data) && passOk
+        checkNoPassword(data, Set(AccountSource.Local)) && passOk
       }
 
-      private def checkNoPassword(data: QLogin.Data): Boolean = {
+      def checkNoPassword(
+          data: QLogin.Data,
+          expectedSources: Set[AccountSource]
+      ): Boolean = {
         val collOk = data.collectiveState == CollectiveState.Active ||
           data.collectiveState == CollectiveState.ReadOnly
-        val userOk = data.userState == UserState.Active
+        val userOk =
+          data.userState == UserState.Active && expectedSources.contains(data.source)
         collOk && userOk
       }
     })

modules/backend/src/main/scala/docspell/backend/ops/OCollective.scala

@@ -9,7 +9,6 @@ package docspell.backend.ops
 import cats.effect.{Async, Resource}
 import cats.implicits._
 import fs2.Stream
-
 import docspell.backend.JobFactory
 import docspell.backend.PasswordCrypt
 import docspell.backend.ops.OCollective._
@@ -20,7 +19,6 @@ import docspell.store.queue.JobQueue
 import docspell.store.records._
 import docspell.store.usertask.{UserTask, UserTaskScope, UserTaskStore}
 import docspell.store.{AddResult, Store}
-
 import com.github.eikek.calev._
 
 trait OCollective[F[_]] {
@@ -95,9 +93,11 @@ object OCollective {
   object PassResetResult {
     case class Success(newPw: Password) extends PassResetResult
     case object NotFound                extends PassResetResult
+    case object UserNotLocal            extends PassResetResult
 
     def success(np: Password): PassResetResult = Success(np)
     def notFound: PassResetResult              = NotFound
+    def userNotLocal: PassResetResult          = UserNotLocal
   }
 
   sealed trait PassChangeResult
@@ -105,12 +105,14 @@ object OCollective {
     case object UserNotFound     extends PassChangeResult
     case object PasswordMismatch extends PassChangeResult
     case object UpdateFailed     extends PassChangeResult
+    case object UserNotLocal     extends PassChangeResult
     case object Success          extends PassChangeResult
 
     def userNotFound: PassChangeResult     = UserNotFound
     def passwordMismatch: PassChangeResult = PasswordMismatch
     def success: PassChangeResult          = Success
     def updateFailed: PassChangeResult     = UpdateFailed
+    def userNotLocal: PassChangeResult     = UserNotLocal
   }
 
   case class RegisterData(
@@ -245,11 +247,14 @@ object OCollective {
       def resetPassword(accountId: AccountId): F[PassResetResult] =
         for {
           newPass <- Password.generate[F]
+          optUser <- store.transact(RUser.findByAccount(accountId))
           n <- store.transact(
             RUser.updatePassword(accountId, PasswordCrypt.crypt(newPass))
           )
           res =
-            if (n <= 0) PassResetResult.notFound
+            if (optUser.exists(_.source != AccountSource.Local))
+              PassResetResult.userNotLocal
+            else if (n <= 0) PassResetResult.notFound
             else PassResetResult.success(newPass)
         } yield res
 
@@ -270,6 +275,8 @@ object OCollective {
           res = check match {
             case Some(true) =>
               if (n.getOrElse(0) > 0) PassChangeResult.success
+              else if (optUser.exists(_.source != AccountSource.Local))
+                PassChangeResult.userNotLocal
               else PassChangeResult.updateFailed
             case Some(false) =>
               PassChangeResult.passwordMismatch

modules/backend/src/main/scala/docspell/backend/signup/OSignup.scala

@@ -109,6 +109,7 @@ object OSignup {
               data.collName,
               PasswordCrypt.crypt(data.password),
               UserState.Active,
+              AccountSource.Local,
               None,
               0,
               None,