From 7c96e1b780243bfbe3ecc5b6874fe3497e2419d5 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Fri, 15 Nov 2024 23:59:14 +0100 Subject: fix(tfstated): return 403 Forbidden on non existent account --- pkg/basic_auth/middleware.go | 4 ++++ pkg/database/accounts.go | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go index 94cac56..1b51c8a 100644 --- a/pkg/basic_auth/middleware.go +++ b/pkg/basic_auth/middleware.go @@ -23,6 +23,10 @@ func Middleware(db *database.DB) func(http.Handler) http.Handler { http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } + if account == nil { + http.Error(w, "Forbidden", http.StatusForbidden) + return + } if password != account.Password { http.Error(w, "Forbidden", http.StatusForbidden) return diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go index 7902371..3919709 100644 --- a/pkg/database/accounts.go +++ b/pkg/database/accounts.go @@ -2,6 +2,7 @@ package database import ( "database/sql" + "errors" "fmt" "log/slog" "time" @@ -32,6 +33,9 @@ func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) { &account.Settings, ) if err != nil { + if errors.Is(err, sql.ErrNoRows) { + return nil, nil + } return nil, err } password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword) -- cgit v1.2.3