adyxax/tfstated
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity

fix(tfstated): return 403 Forbidden on non existent account

Browse source
This commit is contained in:
Julien Dessaux 2024-11-15 23:59:14 +01:00
parent 478f42f8a9
commit 7c96e1b780
Signed by: adyxax
GPG key ID: F92E51B86E07177E
2 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkg/basic_auth/middleware.go
View file

@ -23,6 +23,10 @@ func Middleware(db *database.DB) func(http.Handler) http.Handler {
http.Error(w, "Internal Server Error", http.StatusInternalServerError) http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return return
} }
if account == nil {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
if password != account.Password { if password != account.Password {
http.Error(w, "Forbidden", http.StatusForbidden) http.Error(w, "Forbidden", http.StatusForbidden)
return return

4
pkg/database/accounts.go
View file

@ -2,6 +2,7 @@ package database
import ( import (
"database/sql" "database/sql"
"errors"
"fmt" "fmt"
"log/slog" "log/slog"
"time" "time"
@ -32,6 +33,9 @@ func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) {
&account.Settings, &account.Settings,
) )
if err != nil { if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
return nil, err return nil, err
} }
password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword) password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword)