From a2fdf091f555368289f367220093088ac8c0dbb6 Mon Sep 17 00:00:00 2001
From: Andreas Wrede <andreas@wrede.ca>
Date: Fri, 8 May 2026 13:34:57 -0400
Subject: [PATCH] fix: preserve OAuth users across config reload; fix test
 isolation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 hbd/server/users.py |  9 +++++++++
 tests/test_oauth.py | 22 ++++++++++++++++++----
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/hbd/server/users.py b/hbd/server/users.py
index aef730c..a570cbf 100644
--- a/hbd/server/users.py
+++ b/hbd/server/users.py
@@ -146,9 +146,14 @@ def load_users(config: dict) -> dict:
     Returns the new ``users`` dict.
     """
     global users
+    old_users = dict(users)  # snapshot before rebuild
     users_cfg = config.get("users", {})
     if not isinstance(users_cfg, dict):
         users = {}
+        # Preserve OAuth-provisioned users (password_hash == "") that aren't in config.
+        for username, existing_user in old_users.items():
+            if not existing_user.password_hash and username not in users:
+                users[username] = existing_user
         return users
 
     result: dict = {}
@@ -166,6 +171,10 @@ def load_users(config: dict) -> dict:
         )
 
     users = result
+    # Preserve OAuth-provisioned users (password_hash == "") that aren't in config.
+    for username, existing_user in old_users.items():
+        if not existing_user.password_hash and username not in users:
+            users[username] = existing_user
     logger.info("Loaded %d user(s) from config", len(users))
     return users
 
diff --git a/tests/test_oauth.py b/tests/test_oauth.py
index 8388ba2..a43d88c 100644
--- a/tests/test_oauth.py
+++ b/tests/test_oauth.py
@@ -3,6 +3,8 @@ import time as time_mod
 import pytest
 
 from hbd.server import oauth
+from hbd.server import users as users_mod
+from hbd.server.users import User
 
 
 CFG_OFF = {}
@@ -25,6 +27,13 @@ def clear_oauth_states():
     oauth._states.clear()
 
 
+@pytest.fixture(autouse=True)
+def reset_users_dict():
+    original = dict(users_mod.users)
+    yield
+    users_mod.users = original
+
+
 def test_is_enabled_when_all_keys_present():
     assert oauth.is_enabled(CFG_ON) is True
 
@@ -66,10 +75,6 @@ def test_validate_state_expired(monkeypatch):
     assert oauth.validate_state(state) is False
 
 
-from hbd.server import users as users_mod
-from hbd.server.users import User
-
-
 def _reset_users(entries=None):
     users_mod.users = entries or {}
 
@@ -116,3 +121,12 @@ def test_provision_oauth_user_does_not_overwrite_with_empty():
     user = users_mod.provision_oauth_user("bob", "", "")
     assert user.full_name == "Bob"
     assert user.avatar == "bob.png"
+
+
+def test_provision_oauth_user_survives_config_reload():
+    _reset_users()
+    users_mod.provision_oauth_user("oauthonly", "OAuth Only", "https://example.com/a.png")
+    assert "oauthonly" in users_mod.users
+    # Reload with empty config — OAuth user should survive
+    users_mod.load_users({})
+    assert "oauthonly" in users_mod.users