fix: return 401 if password is invalid (dexidp#2796)

Signed-off-by: m.nabokikh <[email protected]>
Cedric-Magnan · May 29, 2023 · 4a49c2f · 4a49c2f
1 parent 5b6be22
commit 4a49c2f
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 23 deletions.
diff --git a/server/handlers_test.go b/server/handlers_test.go
@@ -265,7 +265,7 @@ func mockConnectorDataTestStorage(t *testing.T, s storage.Storage) {
 	require.NoError(t, err)
 }
 
-func TestPasswordConnectorDataNotEmpty(t *testing.T) {
+func TestHandlePassword(t *testing.T) {
 	t0 := time.Now()
 
 	ctx, cancel := context.WithCancel(context.Background())
@@ -280,33 +280,46 @@ func TestPasswordConnectorDataNotEmpty(t *testing.T) {
 
 	mockConnectorDataTestStorage(t, s.storage)
 
-	u, err := url.Parse(s.issuerURL.String())
-	require.NoError(t, err)
+	makeReq := func(username, password string) *httptest.ResponseRecorder {
+		u, err := url.Parse(s.issuerURL.String())
+		require.NoError(t, err)
 
-	u.Path = path.Join(u.Path, "/token")
-	v := url.Values{}
-	v.Add("scope", "openid offline_access email")
-	v.Add("grant_type", "password")
-	v.Add("username", "test")
-	v.Add("password", "test")
+		u.Path = path.Join(u.Path, "/token")
+		v := url.Values{}
+		v.Add("scope", "openid offline_access email")
+		v.Add("grant_type", "password")
+		v.Add("username", username)
+		v.Add("password", password)
 
-	req, _ := http.NewRequest("POST", u.String(), bytes.NewBufferString(v.Encode()))
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
-	req.SetBasicAuth("test", "barfoo")
+		req, _ := http.NewRequest("POST", u.String(), bytes.NewBufferString(v.Encode()))
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
+		req.SetBasicAuth("test", "barfoo")
 
-	rr := httptest.NewRecorder()
-	s.ServeHTTP(rr, req)
+		rr := httptest.NewRecorder()
+		s.ServeHTTP(rr, req)
 
-	require.Equal(t, 200, rr.Code)
+		return rr
+	}
 
-	// Check that we received expected refresh token
-	var ref struct {
-		Token string `json:"refresh_token"`
+	// Check unauthorized error
+	{
+		rr := makeReq("test", "invalid")
+		require.Equal(t, 401, rr.Code)
 	}
-	err = json.Unmarshal(rr.Body.Bytes(), &ref)
-	require.NoError(t, err)
 
-	newSess, err := s.storage.GetOfflineSessions("0-385-28089-0", "test")
-	require.NoError(t, err)
-	require.Equal(t, `{"test": "true"}`, string(newSess.ConnectorData))
+	// Check that we received expected refresh token
+	{
+		rr := makeReq("test", "test")
+		require.Equal(t, 200, rr.Code)
+
+		var ref struct {
+			Token string `json:"refresh_token"`
+		}
+		err := json.Unmarshal(rr.Body.Bytes(), &ref)
+		require.NoError(t, err)
+
+		newSess, err := s.storage.GetOfflineSessions("0-385-28089-0", "test")
+		require.NoError(t, err)
+		require.Equal(t, `{"test": "true"}`, string(newSess.ConnectorData))
+	}
 }
diff --git a/server/templates.go b/server/templates.go
@@ -286,6 +286,9 @@ func (t *templates) login(r *http.Request, w http.ResponseWriter, connectors []c
 }
 
 func (t *templates) password(r *http.Request, w http.ResponseWriter, postURL, lastUsername, usernamePrompt string, lastWasInvalid bool, backLink string) error {
+	if lastWasInvalid {
+		w.WriteHeader(http.StatusUnauthorized)
+	}
 	data := struct {
 		PostURL        string
 		BackLink       string