core: fix judger login if builtin login disabled

[renbaoshuo]

Summary by CodeRabbit

• New Features
  • Added explicit judge-mode login support: clients now include a judge flag when authenticating.
  • Login rules updated so judge-mode access is allowed when the server permits it or when the target account has judge privileges; standard login behavior remains unchanged.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6c47f44e-f6c1-40f0-aaa5-0d814c8b477a

📥 Commits

Reviewing files that changed from the base of the PR and between 0717006 and 7e05969.

📒 Files selected for processing (2)

• packages/hydrojudge/src/hosts/hydro.ts
• packages/hydrooj/src/handler/user.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/hydrojudge/src/hosts/hydro.ts

---

Walkthrough

This PR adds a judge-specific login flow: the Hydro client now includes judge: 'on' in the login POST payload, and UserLoginHandler.post gains an optional judge boolean. The handler enforces that non-judge logins require server.login; judge logins are allowed if server.login is enabled or the target user exists and has PRIV_JUDGE.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• hydro-dev/Hydro#1150: Modifies the login flow in packages/hydrooj/src/handler/user.ts and adjusts server.login checks alongside loginMethods configuration.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: enabling judger login to work even when builtin login is disabled, which is directly reflected in the code modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/hydrooj/src/handler/user.ts`:
- Around line 65-69: The privilege check currently runs before verifying
existence, causing BuiltinLoginError to mask missing users; change the order in
the login flow around user.getByEmail/user.getByUname so you first ensure udoc
exists (throw UserNotFoundError(uname) if null) and only then check the judger +
system.get('server.login') gate and call udoc.hasPriv(PRIV.PRIV_JUDGE) to decide
whether to throw BuiltinLoginError; update the logic in the function containing
the judger variable and these calls to make the existence check precede the
privilege check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7dc06655-e6d9-4a43-8924-8fbdf0075470

📥 Commits

Reviewing files that changed from the base of the PR and between 3b13ddb and 0717006.

📒 Files selected for processing (2)

• packages/hydrojudge/src/hosts/hydro.ts
• packages/hydrooj/src/handler/user.ts