From 16c57cc424dc8ab48c7e3d07459e9da24d84b057 Mon Sep 17 00:00:00 2001 From: Lilleman Date: Tue, 26 Apr 2022 13:42:59 +0200 Subject: [PATCH] Fixed bug when trying to auth with empty username and empty password --- src/db/accounts.go | 12 ++++++++---- tests/test-cases/01basic.js | 15 +++++++++++++++ 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/src/db/accounts.go b/src/db/accounts.go index c175990..4695505 100644 --- a/src/db/accounts.go +++ b/src/db/accounts.go @@ -81,8 +81,8 @@ func (d Db) AccountDel(accountID string) error { } // AccountGet fetches an account from the database -func (d Db) AccountGet(accountID string, APIKey string, Name string) (Account, error) { - d.Log.Debug("Trying to get account", "accountID", accountID, "len(APIKey)", len(APIKey)) +func (d Db) AccountGet(accountID string, APIKey string, name string) (Account, error) { + d.Log.Debug("Trying to get account", "accountID", accountID, "len(APIKey)", len(APIKey), "name", name) var account Account var searchParam string @@ -93,9 +93,13 @@ func (d Db) AccountGet(accountID string, APIKey string, Name string) (Account, e } else if APIKey != "" { accountSQL = accountSQL + "\"apiKey\" = $1" searchParam = APIKey - } else if Name != "" { + } else if name != "" { accountSQL = accountSQL + "name = $1" - searchParam = Name + searchParam = name + } else { + d.Log.Debug("No get criteria entered, returning empty response without calling the database") + + return Account{}, errors.New("no rows in result set") } accountErr := d.DbPool.QueryRow(context.Background(), accountSQL, searchParam).Scan(&account.ID, &account.Created, &account.Name, &account.Password) diff --git a/tests/test-cases/01basic.js b/tests/test-cases/01basic.js index 4907acf..135421e 100644 --- a/tests/test-cases/01basic.js +++ b/tests/test-cases/01basic.js @@ -140,6 +140,21 @@ test('test-cases/01basic.js: Auth by wrong username', async t => { } }); +test('test-cases/01basic.js: Auth by empty username and empty password', async t => { + try { + await got.post(`${process.env.AUTH_URL}/auth/password`, { + json: { + name: '', + password: '', + }, + responseType: 'json', + }); + t.fail('Trying to login with wrong username should fail with a 403'); + } catch(err) { + t.equal(err.message, 'Response code 403 (Forbidden)', 'Trying to login with wrong username should fail with a 403'); + } +}); + test('test-cases/01basic.js: PUT /account/{id}/fields', async t => { const res = await got.put(`${process.env.AUTH_URL}/account/${user.id}/fields`, { headers: { 'Authorization': `bearer ${adminJWTString}`},