From 05924f2c676bfcbe61ff55cea50c5151f2a854a5 Mon Sep 17 00:00:00 2001
From: Derf Null <derf@finalrewind.org>
Date: Sun, 25 Jun 2023 23:28:38 +0200
Subject: Login: return HTTP 400 on invalid password or unconfirmed account

---
 lib/Travelynx/Controller/Account.pm | 12 ++++++++++--
 t/02-registration.t                 |  4 ++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index bc24c05..f0f2119 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -260,10 +260,18 @@ sub do_login {
 		else {
 			my $data = $self->users->get_login_data( name => $user );
 			if ( $data and $data->{status} == 0 ) {
-				$self->render( 'login', invalid => 'confirmation' );
+				$self->render(
+					'login',
+					status  => 400,
+					invalid => 'confirmation'
+				);
 			}
 			else {
-				$self->render( 'login', invalid => 'credentials' );
+				$self->render(
+					'login',
+					status  => 400,
+					invalid => 'credentials'
+				);
 			}
 		}
 	}
diff --git a/t/02-registration.t b/t/02-registration.t
index b588d15..53f772f 100644
--- a/t/02-registration.t
+++ b/t/02-registration.t
@@ -88,7 +88,7 @@ $t->post_ok(
 		password   => 'foofoofoo',
 	}
 );
-$t->status_is(200)->content_like(qr{nicht freigeschaltet});
+$t->status_is(400)->content_like(qr{nicht freigeschaltet});
 
 my $res = $t->app->pg->db->select( 'users', ['id'], { name => 'someone' } );
 my $uid = $res->hash->{id};
@@ -108,7 +108,7 @@ $t->post_ok(
 		password   => 'definitely invalid',
 	}
 );
-$t->status_is(200)->content_like(qr{falsches Passwort});
+$t->status_is(400)->content_like(qr{falsches Passwort});
 
 # Successful login
 $t->post_ok(
-- 
cgit v1.2.3