Make bad token creds fail

reload · Sep 25, 2024 · 11bbc62 · 11bbc62
1 parent 403e402
commit 11bbc62
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,10 @@ and this project adheres to [Intended Effort Versioning](https://jacobtomlinson.
 
 ## 1.3.2 - [Unreleased]
 
+### Changed
+- Invalid token creds results in 403 response, not an anonymous
+  response.
+
 ## [1.3.1] - 2024-09-25
 
 ### Added

diff --git a/src/controllers/legacy_entity_controller.cr b/src/controllers/legacy_entity_controller.cr
@@ -11,6 +11,14 @@ class LegacyEntityController < Amber::Controller::Base
       if token.size == 2
         token_user = User.find_by(hashed_password: token[0], email: token[1])
       end
+
+      unless token_user
+        halt!(403, "Forbidden")
+
+        # Contrary to the documented behaviour, halt! doesn't actually
+        # break out early. Obviously a bug.
+        return
+      end
     end
 
     location = Time::Location.load("Europe/Copenhagen")