Send a HTTP 401 for incorrect login credentials

This fixes a regression from flarum#1843 and flarum#1854. Now, the frontend again shows the proper "Incorrect login details" message instead of "You do not have permission to do that".
wzdiyb · Feb 16, 2020 · 2bc9b93 · 2bc9b93
1 parent 8e82e7c
commit 2bc9b93
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 2 deletions.
diff --git a/src/Api/Controller/CreateTokenController.php b/src/Api/Controller/CreateTokenController.php
@@ -12,7 +12,7 @@
 namespace Flarum\Api\Controller;
 
 use Flarum\Http\AccessToken;
-use Flarum\User\Exception\PermissionDeniedException;
+use Flarum\User\Exception\NotAuthenticatedException;
 use Flarum\User\UserRepository;
 use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
 use Illuminate\Contracts\Events\Dispatcher as EventDispatcher;
@@ -65,7 +65,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         $user = $this->users->findByIdentification($identification);
 
         if (! $user || ! $user->checkPassword($password)) {
-            throw new PermissionDeniedException;
+            throw new NotAuthenticatedException;
         }
 
         $token = AccessToken::generate($user->id, $lifetime);

diff --git a/tests/integration/api/authentication/WithTokenTest.php b/tests/integration/api/authentication/WithTokenTest.php
@@ -60,4 +60,33 @@ public function user_generates_token()
         $token = $data['token'];
         $this->assertEquals(2, AccessToken::findOrFail($token)->user_id);
     }
+
+    /**
+     * @test
+     */
+    public function failure_with_invalid_credentials()
+    {
+        $response = $this->send(
+            $this->request(
+                'POST', '/api/token',
+                [
+                    'json' => [
+                        'identification' => 'normal',
+                        'password' => 'too-incorrect'
+                    ],
+                ]
+            )->withAttribute('bypassCsrfToken', true)
+        );
+
+        // HTTP 401 signals an authentication problem
+        $this->assertEquals(401, $response->getStatusCode());
+
+        // The response body should contain an error code
+        $body = (string) $response->getBody();
+        $this->assertJson($body);
+
+        $data = json_decode($body, true);
+        $this->assertCount(1, $data['errors']);
+        $this->assertEquals('not_authenticated', $data['errors'][0]['code']);
+    }
 }