From 7c96e1b780243bfbe3ecc5b6874fe3497e2419d5 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Fri, 15 Nov 2024 23:59:14 +0100
Subject: fix(tfstated): return 403 Forbidden on non existent account

---
 pkg/basic_auth/middleware.go | 4 ++++
 pkg/database/accounts.go     | 4 ++++
 2 files changed, 8 insertions(+)

(limited to 'pkg')

diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go
index 94cac56..1b51c8a 100644
--- a/pkg/basic_auth/middleware.go
+++ b/pkg/basic_auth/middleware.go
@@ -23,6 +23,10 @@ func Middleware(db *database.DB) func(http.Handler) http.Handler {
 				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 				return
 			}
+			if account == nil {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
 			if password != account.Password {
 				http.Error(w, "Forbidden", http.StatusForbidden)
 				return
diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go
index 7902371..3919709 100644
--- a/pkg/database/accounts.go
+++ b/pkg/database/accounts.go
@@ -2,6 +2,7 @@ package database
 
 import (
 	"database/sql"
+	"errors"
 	"fmt"
 	"log/slog"
 	"time"
@@ -32,6 +33,9 @@ func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) {
 		&account.Settings,
 	)
 	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, nil
+		}
 		return nil, err
 	}
 	password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword)
-- 
cgit v1.2.3