From e212c91ebfcb3d8e386101147b69cf2cb40c2a40 Mon Sep 17 00:00:00 2001
From: Ginger <ginger@gingershaped.computer>
Date: Tue, 5 May 2026 13:35:35 -0400
Subject: [PATCH] fix: Address review comments

---
 src/api/client/account/register.rs |  6 +++++-
 src/service/users/mod.rs           | 31 +++++++++++++++++-------------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/api/client/account/register.rs b/src/api/client/account/register.rs
index 1e765a558..a4424425f 100644
--- a/src/api/client/account/register.rs
+++ b/src/api/client/account/register.rs
@@ -14,7 +14,7 @@ use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
 		account::{
-			register::{self, LoginType},
+			register::{self, LoginType, RegistrationKind},
 			request_registration_token_via_email,
 		},
 		uiaa::{AuthFlow, AuthType},
@@ -48,6 +48,10 @@ pub(crate) async fn register_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
+	if body.kind != RegistrationKind::User {
+		return Err!(Request(GuestAccessForbidden("Guests may not register on this server.")));
+	}
+
 	let emergency_mode_enabled = services.config.emergency_password.is_some();
 
 	// Allow registration if it's enabled in the config file or if this is the first
diff --git a/src/service/users/mod.rs b/src/service/users/mod.rs
index 1524e3dda..c9a87f05a 100644
--- a/src/service/users/mod.rs
+++ b/src/service/users/mod.rs
@@ -369,20 +369,25 @@ impl Service {
 
 	/// Check a user's password.
 	pub async fn check_password(&self, user_id: &UserId, password: &str) -> Result<OwnedUserId> {
-		let (hash, user_id): (String, OwnedUserId) =
-			if let Ok(hash) = self.db.userid_password.get(user_id).await.deserialized() {
-				(hash, user_id.to_owned())
-			} else {
-				// We also check the lowercased version of the user ID to handle legacy user IDs
-				// better
-				let lowercase_user_id = UserId::parse(user_id.as_str().to_lowercase()).unwrap();
+		let (hash, user_id): (String, OwnedUserId) = if let Ok(hash) =
+			self.db.userid_password.get(user_id).await.deserialized()
+		{
+			(hash, user_id.to_owned())
+		} else {
+			// We also check the lowercased version of the user ID to handle legacy user IDs
+			// better
+			let lowercase_user_id = UserId::parse(user_id.as_str().to_lowercase()).unwrap();
 
-				if let Ok(hash) = self.db.userid_password.get(user_id).await.deserialized() {
-					(hash, lowercase_user_id)
-				} else {
-					return Err!(Request(UserDeactivated("This user is deactivated.")));
-				}
-			};
+			if let Ok(hash) = self.db.userid_password.get(user_id).await.deserialized() {
+				(hash, lowercase_user_id)
+			} else {
+				return Err!(Request(InvalidParam("This user cannot log in with a password.")));
+			}
+		};
+
+		if hash.is_empty() {
+			return Err!(Request(UserDeactivated("This user is deactivated")));
+		}
 
 		utils::hash::verify_password(password, &hash)
 			.inspect_err(|e| debug_error!("{e}"))