From c86bb2adbd906f0a01f8dfcf87eaa3cacf3aa6d4 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Sat, 29 Apr 2023 15:39:25 +0200
Subject: Fixed invalid username handling

---
 controllers/root/login.js |  1 +
 database/users.js         |  3 +++
 tests/root.spec.js        | 13 +++++++++++++
 3 files changed, 17 insertions(+)

diff --git a/controllers/root/login.js b/controllers/root/login.js
index 431f7f9..dc506cc 100644
--- a/controllers/root/login.js
+++ b/controllers/root/login.js
@@ -39,5 +39,6 @@ export async function login_post(req, res) {
 	if (Object.keys(page.errors).length === 0) {
 		return res.redirect(302, '/games');
 	}
+	res.status(403);
 	return res.render('login', page);
 }
diff --git a/database/users.js b/database/users.js
index cc50bdc..353b54a 100644
--- a/database/users.js
+++ b/database/users.js
@@ -34,6 +34,9 @@ export async function login(username, password) {
 		console.log(err);
 		return null;
 	}
+	if (user === undefined) {
+		return null;
+	}
 	const result = await bcrypt.compare(password, user.hash);
 	if (result === true) {
 		return {
diff --git a/tests/root.spec.js b/tests/root.spec.js
index 34a8328..e422575 100644
--- a/tests/root.spec.js
+++ b/tests/root.spec.js
@@ -34,4 +34,17 @@ describe.concurrent('Root handlers tests', function() {
 			});
 		});
 	});
+
+	describe.concurrent('With invalid credentials', function() {
+		it('POST /login', async function() {
+			await request.post('/login').send('username=NonExistant&password=Alice42!')
+				.expect('Content-Type', /text\/html/)
+				.expect(403, /erreur de connexion/);
+		});
+		it('POST /login', async function() {
+			await request.post('/login').send('username=Alice&password=Invalid')
+				.expect('Content-Type', /text\/html/)
+				.expect(403, /erreur de connexion/);
+		});
+	});
 });
-- 
cgit v1.2.3