admin: better error when password auth is disabled

2025-07-29 22:01:14 +03:00 · 2024-08-07 11:52:34 +02:00
parent 475a43df71
commit c61a52a3a0
2 changed files with 54 additions and 1 deletions
--- a/crates/handlers/src/admin/v1/users/set_password.rs
+++ b/crates/handlers/src/admin/v1/users/set_password.rs
@ -36,6 +36,9 @@ pub enum RouteError {
    #[error("Password is too weak")]
    PasswordTooWeak,
    #[error("Password auth is disabled")]
    PasswordAuthDisabled,
    #[error("Password hashing failed")]
    Password(#[source] anyhow::Error),
@ -50,6 +53,7 @@ impl IntoResponse for RouteError {
        let error = ErrorResponse::from_error(&self);
        let status = match self {
            Self::Internal(_) | Self::Password(_) => StatusCode::INTERNAL_SERVER_ERROR,
            Self::PasswordAuthDisabled => StatusCode::FORBIDDEN,
            Self::PasswordTooWeak => StatusCode::BAD_REQUEST,
            Self::NotFound(_) => StatusCode::NOT_FOUND,
        };
@ -83,6 +87,11 @@ pub fn doc(operation: TransformOperation) -> TransformOperation {
            let response = ErrorResponse::from_error(&RouteError::PasswordTooWeak);
            t.description("Password is too weak").example(response)
        })
        .response_with::<403, RouteError, _>(|t| {
            let response = ErrorResponse::from_error(&RouteError::PasswordAuthDisabled);
            t.description("Password auth is disabled in the server configuration")
                .example(response)
        })
        .response_with::<404, RouteError, _>(|t| {
            let response = ErrorResponse::from_error(&RouteError::NotFound(Ulid::nil()));
            t.description("User was not found").example(response)
@ -99,6 +108,10 @@ pub async fn handler(
    id: UlidPathParam,
    Json(params): Json<Request>,
 ) -> Result<StatusCode, RouteError> {
    if !password_manager.is_enabled() {
        return Err(RouteError::PasswordAuthDisabled);
    }
    let user = repo
        .user()
        .lookup(*id)
@ -137,7 +150,10 @@ mod tests {
    use sqlx::PgPool;
    use zeroize::Zeroizing;
-    use crate::test_utils::{setup, RequestBuilderExt, ResponseExt, TestState};
+    use crate::{
        passwords::PasswordManager,
        test_utils::{setup, RequestBuilderExt, ResponseExt, TestState},
    };
    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
    async fn test_set_password(pool: PgPool) {
@ -267,4 +283,24 @@ mod tests {
            "User ID 01040G2081040G2081040G2081 not found"
        );
    }
    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
    async fn test_disabled(pool: PgPool) {
        setup();
        let mut state = TestState::from_pool(pool).await.unwrap();
        state.password_manager = PasswordManager::disabled();
        let token = state.token_with_scope("urn:mas:admin").await;
        let request = Request::post("/api/admin/v1/users/01040G2081040G2081040G2081/set-password")
            .bearer(&token)
            .json(serde_json::json!({
                "password": "hunter2",
            }));
        let response = state.request(request).await;
        response.assert_status(StatusCode::FORBIDDEN);
        let body: serde_json::Value = response.json();
        assert_eq!(body["errors"][0]["title"], "Password auth is disabled");
    }
 }
--- a/docs/api/spec.json
+++ b/docs/api/spec.json
@ -367,6 +367,23 @@
              }
            }
          },
          "403": {
            "description": "Password auth is disabled in the server configuration",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ErrorResponse"
                },
                "example": {
                  "errors": [
                    {
                      "title": "Password auth is disabled"
                    }
                  ]
                }
              }
            }
          },
          "404": {
            "description": "User was not found",
            "content": {