From d574867abb67a9267bb1a6d9e7b760dbd9fb2fa3 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Sun, 26 Apr 2026 15:57:01 -0700
Subject: [PATCH] Fix: use only allauth login/logout endpoints (#12639)

---
 src/paperless/tests/test_api_auth.py | 48 ++++++++++++++++++++++++++++
 src/paperless/urls.py                | 16 +++++++++-
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 src/paperless/tests/test_api_auth.py

diff --git a/src/paperless/tests/test_api_auth.py b/src/paperless/tests/test_api_auth.py
new file mode 100644
index 000000000..d55b4bdb2
--- /dev/null
+++ b/src/paperless/tests/test_api_auth.py
@@ -0,0 +1,48 @@
+import uuid
+
+from django.contrib.auth.models import User
+from django.test import TestCase
+from django.test import override_settings
+from django.urls import resolve
+from django.urls import reverse
+from rest_framework import status
+
+
+class TestApiAuthViews(TestCase):
+    def test_api_auth_login_uses_allauth_login_view(self):
+        response = self.client.get(reverse("rest_framework:login"))
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertTemplateUsed(response, "account/login.html")
+
+    def test_api_auth_login_uses_same_view_as_account_login(self):
+        api_match = resolve("/api/auth/login/")
+        account_match = resolve("/accounts/login/")
+
+        self.assertIs(api_match.func.view_class, account_match.func.view_class)
+
+    @override_settings(DISABLE_REGULAR_LOGIN=True)
+    def test_api_auth_login_respects_disable_regular_login(self):
+        username = f"testuser-{uuid.uuid4().hex}"
+        User.objects.create_user(
+            username=username,
+            password="testpassword",
+        )
+
+        response = self.client.post(
+            reverse("rest_framework:login"),
+            data={
+                "login": username,
+                "password": "testpassword",
+                "next": "/api/documents/",
+            },
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertTemplateUsed(response, "account/login.html")
+        self.assertContains(response, "Regular login is disabled")
+        self.assertNotIn("_auth_user_id", self.client.session)
+
+    def test_api_auth_logout_uses_named_route(self):
+        self.assertEqual(reverse("rest_framework:login"), "/api/auth/login/")
+        self.assertEqual(reverse("rest_framework:logout"), "/api/auth/logout/")
diff --git a/src/paperless/urls.py b/src/paperless/urls.py
index e24d1a459..e9635a0ed 100644
--- a/src/paperless/urls.py
+++ b/src/paperless/urls.py
@@ -89,7 +89,21 @@ urlpatterns = [
                 re_path(
                     "^auth/",
                     include(
-                        ("rest_framework.urls", "rest_framework"),
+                        (
+                            [
+                                path(
+                                    "login/",
+                                    allauth_account_views.login,
+                                    name="login",
+                                ),
+                                path(
+                                    "logout/",
+                                    allauth_account_views.logout,
+                                    name="logout",
+                                ),
+                            ],
+                            "rest_framework",
+                        ),
                         namespace="rest_framework",
                     ),
                 ),