From 05924f2c676bfcbe61ff55cea50c5151f2a854a5 Mon Sep 17 00:00:00 2001
From: Derf Null <derf@finalrewind.org>
Date: Sun, 25 Jun 2023 23:28:38 +0200
Subject: Login: return HTTP 400 on invalid password or unconfirmed account

---
 lib/Travelynx/Controller/Account.pm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'lib/Travelynx')

diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index bc24c05..f0f2119 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -260,10 +260,18 @@ sub do_login {
 		else {
 			my $data = $self->users->get_login_data( name => $user );
 			if ( $data and $data->{status} == 0 ) {
-				$self->render( 'login', invalid => 'confirmation' );
+				$self->render(
+					'login',
+					status  => 400,
+					invalid => 'confirmation'
+				);
 			}
 			else {
-				$self->render( 'login', invalid => 'credentials' );
+				$self->render(
+					'login',
+					status  => 400,
+					invalid => 'credentials'
+				);
 			}
 		}
 	}
-- 
cgit v1.2.3