Fixed invalid username handling

3 files changed, 17 insertions, 0 deletions

diff --git a/controllers/root/login.js b/controllers/root/login.js
index 431f7f9..dc506cc 100644
--- a/controllers/root/login.js
+++ b/controllers/root/login.js
@@ -39,5 +39,6 @@ export async function login_post(req, res) {
 	if (Object.keys(page.errors).length === 0) {
 		return res.redirect(302, '/games');
 	}
+	res.status(403);
 	return res.render('login', page);
 }
diff --git a/database/users.js b/database/users.js
index cc50bdc..353b54a 100644
--- a/database/users.js
+++ b/database/users.js
@@ -34,6 +34,9 @@ export async function login(username, password) {
 		console.log(err);
 		return null;
 	}
+	if (user === undefined) {
+		return null;
+	}
 	const result = await bcrypt.compare(password, user.hash);
 	if (result === true) {
 		return {
diff --git a/tests/root.spec.js b/tests/root.spec.js
index 34a8328..e422575 100644
--- a/tests/root.spec.js
+++ b/tests/root.spec.js
@@ -34,4 +34,17 @@ describe.concurrent('Root handlers tests', function() {
 			});
 		});
 	});
+
+	describe.concurrent('With invalid credentials', function() {
+		it('POST /login', async function() {
+			await request.post('/login').send('username=NonExistant&password=Alice42!')
+				.expect('Content-Type', /text\/html/)
+				.expect(403, /erreur de connexion/);
+		});
+		it('POST /login', async function() {
+			await request.post('/login').send('username=Alice&password=Invalid')
+				.expect('Content-Type', /text\/html/)
+				.expect(403, /erreur de connexion/);
+		});
+	});
 });