fix(tfstated): return 403 Forbidden on non existent account

2024-11-15 23:59:14 +01:00 · 2024-11-15 23:59:14 +01:00 · 7c96e1b780
commit 7c96e1b780
parent 478f42f8a9
2 changed files with 8 additions and 0 deletions
--- a/pkg/basic_auth/middleware.go
+++ b/pkg/basic_auth/middleware.go
@ -23,6 +23,10 @@ func Middleware(db *database.DB) func(http.Handler) http.Handler {
 				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 				return
 			}
+			if account == nil {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
 			if password != account.Password {
 				http.Error(w, "Forbidden", http.StatusForbidden)
 				return
--- a/pkg/database/accounts.go
+++ b/pkg/database/accounts.go
@ -2,6 +2,7 @@ package database

 import (
 	"database/sql"
+	"errors"
 	"fmt"
 	"log/slog"
 	"time"
@ -32,6 +33,9 @@ func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) {
 		&account.Settings,
 	)
 	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, nil
+		}
 		return nil, err
 	}
 	password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword)