From a49db010e4a5e48017d8583c374210242a680ddd Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 17 Apr 2020 10:56:06 +0200
Subject: A wrong login must return HTTP 403 (#2903)

* A wrong login must produce HTTP 403

#fix https://github.com/FreshRSS/FreshRSS/issues/2901
https://github.com/FreshRSS/FreshRSS/pull/2794/files#r389319248

* Just for consistency
---
 app/Controllers/authController.php | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 5874b312d..d61472e53 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -116,17 +116,18 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 		$limits = $conf->limits;
 		$this->view->cookie_days = round($limits['cookie_duration'] / 86400, 1);
 
-		if (Minz_Request::isPost()) {
+		$isPOST = Minz_Request::isPost() && !Minz_Session::param('POST_to_GET');
+		Minz_Session::_param('POST_to_GET');
+
+		if ($isPOST) {
 			$nonce = Minz_Session::param('nonce');
 			$username = Minz_Request::param('username', '');
 			$challenge = Minz_Request::param('challenge', '');
 
 			$conf = get_user_configuration($username);
 			if ($conf == null) {
-				Minz_Request::bad(
-					_t('feedback.auth.login.invalid'),
-					array('c' => 'auth', 'a' => 'login')
-				);
+				//We do not test here whether the user exists, so most likely an internal error.
+				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 				return;
 			}
 
@@ -155,10 +156,15 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 				                  ' user=' . $username .
 				                  ', nonce=' . $nonce .
 				                  ', c=' . $challenge);
-				Minz_Request::bad(
-					_t('feedback.auth.login.invalid'),
-					array('c' => 'auth', 'a' => 'login')
-				);
+
+				header('HTTP/1.1 403 Forbidden');
+				Minz_Session::_param('POST_to_GET', true);	//Prevent infinite internal redirect
+				Minz_View::_param('notification', [
+					'type' => 'bad',
+					'content' => _t('feedback.auth.login.invalid'),
+				]);
+				Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false);
+				return;
 			}
 		} elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) {
 			$username = Minz_Request::param('u', '');
-- 
cgit v1.2.3