n8n - 💡(How to fix) Fix Manual login with a wrong password returns the "log in with SSO" error [1 pull requests]

Describe the bug

When SSO (SAML or OIDC) is the active authentication method and a user is allowed to sign in manually (allowSSOManualLogin = true), entering a wrong password on the email/password form returns 401 SSO is enabled, please log in with SSO.

Manual login is actually permitted for the account — the password was simply wrong — so the error is misleading. It points people at the SSO setup (toggling SAML, checking the IdP, looking at the DB) when all that happened is a mistyped password.

To reproduce

1. Set the instance authentication method to SAML or OIDC.
2. On a non-owner user, enable "Allow manual login" so allowSSOManualLogin is true.
3. Open /signin and submit that user's email with an incorrect password.
4. Login fails with SSO is enabled, please log in with SSO.

Expected behaviour

The normal wrong-credentials error (Wrong username or password. Do you have caps lock on?), since manual login is allowed and only the password is wrong.

Actual behaviour

SSO is enabled, please log in with SSO, which implies the account cannot use manual login at all.

Root cause

In AuthController.login (packages/cli/src/controllers/auth.controller.ts), validateSsoRestrictions(preliminaryUser) runs on the result of the password check. EmailAuthHandler.handleLogin returns undefined for a wrong password, and the SSO check treats an undefined user as a blocked SSO user — all of its conditions are true for undefined — so it throws the SSO error before the wrong-credentials path is ever reached.

Environment

• n8n version: 2.22.4 (also reproduces on current master)
• Auth method: SAML / OIDC
• Database: not relevant (reproduces regardless)