Send a HTTP 401 for incorrect login credentials

This fixes a regression from #1843 and #1854. Now, the frontend again shows the proper "Incorrect login details" message instead of "You do not have permission to do that".
2024-11-27 02:53:37 +08:00 · 2019-09-13 14:38:06 +02:00 · 2019-09-13 14:38:06 +02:00 · eca288f525
commit eca288f525
parent b75e8284da
2 changed files with 31 additions and 2 deletions
--- a/framework/core/src/Api/Controller/CreateTokenController.php
+++ b/framework/core/src/Api/Controller/CreateTokenController.php
@ -12,7 +12,7 @@
 namespace Flarum\Api\Controller;

 use Flarum\Http\AccessToken;
-use Flarum\User\Exception\PermissionDeniedException;
+use Flarum\User\Exception\NotAuthenticatedException;
 use Flarum\User\UserRepository;
 use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
 use Illuminate\Contracts\Events\Dispatcher as EventDispatcher;
@ -65,7 +65,7 @@ class CreateTokenController implements RequestHandlerInterface
        $user = $this->users->findByIdentification($identification);

        if (! $user || ! $user->checkPassword($password)) {
-            throw new PermissionDeniedException;
+            throw new NotAuthenticatedException;
        }

        $token = AccessToken::generate($user->id, $lifetime);
--- a/framework/core/tests/integration/api/authentication/WithTokenTest.php
+++ b/framework/core/tests/integration/api/authentication/WithTokenTest.php
@ -60,4 +60,33 @@ class WithTokenTest extends TestCase
        $token = $data['token'];
        $this->assertEquals(2, AccessToken::findOrFail($token)->user_id);
    }
+
+    /**
+     * @test
+     */
+    public function failure_with_invalid_credentials()
+    {
+        $response = $this->send(
+            $this->request(
+                'POST', '/api/token',
+                [
+                    'json' => [
+                        'identification' => 'normal',
+                        'password' => 'too-incorrect'
+                    ],
+                ]
+            )->withAttribute('bypassCsrfToken', true)
+        );
+
+        // HTTP 401 signals an authentication problem
+        $this->assertEquals(401, $response->getStatusCode());
+
+        // The response body should contain an error code
+        $body = (string) $response->getBody();
+        $this->assertJson($body);
+
+        $data = json_decode($body, true);
+        $this->assertCount(1, $data['errors']);
+        $this->assertEquals('not_authenticated', $data['errors'][0]['code']);
+    }
 }