Bug Description

In internal/graphql/update_profile.go:154, the condition !isBasicAuthEnabled || !isMobileBasicAuthEnabled uses OR instead of AND. Password change is blocked if EITHER auth method is disabled, but should only block when BOTH are disabled.

Impact

MEDIUM — Users cannot change their password via UpdateProfile if only one of basic auth or mobile basic auth is enabled.

Fix

Change || to &&: !isBasicAuthEnabled && !isMobileBasicAuthEnabled