From 1bbba663b2c20b722327d885d0cbf80dba0ea44d Mon Sep 17 00:00:00 2001
From: Matt Fiddaman <github@m.fiddaman.uk>
Date: Fri, 19 Apr 2024 21:35:19 +0100
Subject: [PATCH] Make /admin/login return a descriptive error when no password
 is provided (#342)

---
 src/account-db.js             | 7 ++++++-
 src/app-account.js            | 8 +++++++-
 upcoming-release-notes/342.md | 6 ++++++
 3 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 upcoming-release-notes/342.md

diff --git a/src/account-db.js b/src/account-db.js
index b33fee867..52958e314 100644
--- a/src/account-db.js
+++ b/src/account-db.js
@@ -49,8 +49,13 @@ export function bootstrap(password) {
 }
 
 export function login(password) {
+  if (password === undefined || password === '') {
+    return { error: 'invalid-password' };
+  }
+
   let accountDb = getAccountDb();
   let row = accountDb.first('SELECT * FROM auth');
+
   let confirmed = row && bcrypt.compareSync(password, row.password);
 
   if (confirmed) {
@@ -59,7 +64,7 @@ export function login(password) {
     // "session" that times out after a long time or something, and
     // maybe each device has a different token
     let row = accountDb.first('SELECT * FROM sessions');
-    return row.token;
+    return { token: row.token };
   } else {
     return null;
   }
diff --git a/src/app-account.js b/src/app-account.js
index f992a3dd6..0f57e23ac 100644
--- a/src/app-account.js
+++ b/src/app-account.js
@@ -38,7 +38,13 @@ app.post('/bootstrap', (req, res) => {
 });
 
 app.post('/login', (req, res) => {
-  let token = login(req.body.password);
+  let { error, token } = login(req.body.password);
+
+  if (error) {
+    res.status(400).send({ status: 'error', reason: error });
+    return;
+  }
+
   res.send({ status: 'ok', data: { token } });
 });
 
diff --git a/upcoming-release-notes/342.md b/upcoming-release-notes/342.md
new file mode 100644
index 000000000..9ab8181fa
--- /dev/null
+++ b/upcoming-release-notes/342.md
@@ -0,0 +1,6 @@
+---
+category: Bugfix
+authors: [matt-fidd]
+---
+
+Make /admin/login return a descriptive error when no password is provided