Make /admin/login return a descriptive error when no password is provided (#342)

matt-fidd · web-flow · commit 1bbba663b2c2 · 2024-04-19T21:35:19.000+01:00
diff --git a/src/account-db.js b/src/account-db.js
@@ -49,8 +49,13 @@ export function bootstrap(password) {
 }
 
 export function login(password) {
+  if (password === undefined || password === '') {
+    return { error: 'invalid-password' };
+  }
+
   let accountDb = getAccountDb();
   let row = accountDb.first('SELECT * FROM auth');
+
   let confirmed = row && bcrypt.compareSync(password, row.password);
 
   if (confirmed) {
@@ -59,7 +64,7 @@ export function login(password) {
     // "session" that times out after a long time or something, and
     // maybe each device has a different token
     let row = accountDb.first('SELECT * FROM sessions');
-    return row.token;
+    return { token: row.token };
   } else {
     return null;
   }
diff --git a/src/app-account.js b/src/app-account.js
@@ -38,7 +38,13 @@ app.post('/bootstrap', (req, res) => {
 });
 
 app.post('/login', (req, res) => {
-  let token = login(req.body.password);
+  let { error, token } = login(req.body.password);
+
+  if (error) {
+    res.status(400).send({ status: 'error', reason: error });
+    return;
+  }
+
   res.send({ status: 'ok', data: { token } });
 });
 
diff --git a/upcoming-release-notes/342.md b/upcoming-release-notes/342.md
@@ -0,0 +1,6 @@
+---
+category: Bugfix
+authors: [matt-fidd]
+---
+
+Make /admin/login return a descriptive error when no password is provided
