fix login entry fallback

server-rs/crates/api-server/src/app.rs

@@ -1437,6 +1437,34 @@ mod tests {
         );
     }
 
+    #[tokio::test]
+    async fn auth_login_options_keeps_password_entry_when_external_methods_disabled() {
+        let app = build_router(AppState::new(AppConfig::default()).expect("state should build"));
+        let response = app
+            .oneshot(
+                Request::builder()
+                    .uri("/api/auth/login-options")
+                    .body(Body::empty())
+                    .expect("request should build"),
+            )
+            .await
+            .expect("request should succeed");
+
+        assert_eq!(response.status(), StatusCode::OK);
+        let body = response
+            .into_body()
+            .collect()
+            .await
+            .expect("body should collect")
+            .to_bytes();
+        let payload: Value = serde_json::from_slice(&body).expect("body should be valid json");
+
+        assert_eq!(
+            payload["availableLoginMethods"],
+            serde_json::json!(["password"])
+        );
+    }
+
     #[tokio::test]
     async fn send_phone_code_returns_mock_cooldown_and_expire_seconds() {
         let config = AppConfig {

server-rs/crates/shared-contracts/src/auth.rs

@@ -215,7 +215,7 @@ mod tests {
     use serde_json::json;
 
     #[test]
-    fn available_login_methods_keep_phone_then_wechat_order() {
+    fn available_login_methods_keep_phone_password_wechat_order() {
         let methods = build_available_login_methods(true, true, true);
 
         assert_eq!(
@@ -228,6 +228,13 @@ mod tests {
         );
     }
 
+    #[test]
+    fn available_login_methods_keep_password_as_default_entry() {
+        let methods = build_available_login_methods(false, true, false);
+
+        assert_eq!(methods, vec![AUTH_LOGIN_METHOD_PASSWORD.to_string()]);
+    }
+
     #[test]
     fn password_entry_request_uses_camel_case_fields() {
         let payload = serde_json::to_value(PasswordEntryRequest {