Address path traversal and other security fixes

2026-04-10 14:58:57 -04:00
parent e1c32b6584
commit da16fddce3
4 changed files with 19 additions and 18 deletions
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -85,7 +85,7 @@ pub async fn login<D: UserDao>(
        HttpResponse::Ok().json(Token { token: &token })
    } else {
        error!("Failed login attempt for user: '{}'", creds.username);
-        HttpResponse::NotFound().finish()
+        HttpResponse::Unauthorized().finish()
    }
 }

@@ -128,7 +128,7 @@ mod tests {
    }

    #[actix_rt::test]
-    async fn test_login_reports_404_when_user_does_not_exist() {
+    async fn test_login_reports_401_when_user_does_not_exist() {
        let mut dao = TestUserDao::new();
        dao.create_user("user", "password");

@@ -139,6 +139,6 @@ mod tests {

        let response = login::<TestUserDao>(j, web::Data::new(Mutex::new(dao))).await;

-        assert_eq!(response.status(), 404);
+        assert_eq!(response.status(), 401);
    }
 }