Fix login authentication when principal is provided as email

[fuzziecoder]

Motivation

• Clients were failing to obtain JWTs when they supplied an email address to the token endpoint while the demo identity store is keyed by short usernames (e.g. admin, viewer).

Description

• Updated TokenRequest in backend/api/security.py to accept optional username and email fields and added a principal property to normalize the login principal.
• Added _candidate_usernames helper and changed authenticate_user to accept a principal and try both the full normalized input and the local-part (before @) when matching the demo user store.
• Hardened the /api/auth/token route in backend/api/routes/auth.py to validate that either username or email was provided and to call the updated authenticate_user with the resolved principal.

Testing

• Ran a quick Python smoke-check that exercised authenticate_user with both username and email forms which succeeded via: python - <<'PY' ... authenticate_user(...) assertions ... PY (all assertions passed).
• Verified the modified files compile cleanly with python -m py_compile backend/api/security.py backend/api/routes/auth.py (succeeded).
• Attempted pytest -q backend/tests/test_security.py but collection failed in this environment due to a missing optional test dependency (httpx), which is unrelated to the auth code changes.

---

Codex Task

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
flexi-roaster	Ready	Preview, Comment	Feb 25, 2026 1:05pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/fix-login-authentication-issue

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.