Adding logic to ensure a valid error message is shown to the user when the login attempt failed.

Michael Miscampbell · Michael Miscampbell · commit eff01d0ca1f0 · 2019-02-11T23:37:02.000Z
diff --git a/src/TokenBasedRestApiModule.php b/src/TokenBasedRestApiModule.php
@@ -20,6 +20,7 @@
 
 use Firebase\JWT\JWT;
 use Rhubarb\Crown\DependencyInjection\Container;
+use Rhubarb\Crown\LoginProviders\Exceptions\LoginFailedException;
 use Rhubarb\Crown\LoginProviders\LoginProvider;
 use Rhubarb\RestApi\Exceptions\MethodNotAllowedException;
 use Rhubarb\RestApi\RhubarbApiModule;
@@ -91,24 +92,30 @@ protected function authenticate(Request $request)
         $authorizationHeader = $request->getHeader('Authorization');
 
         if (empty($authorizationHeader)) {
-            return false;
+            return [false, 'Invalid payload'];
         }
 
         $authHeader = $request->getHeader('Authorization')[0];
         $loginCredentials = explode(':', base64_decode(str_replace('Basic ', '', $authHeader)), 2);
 
         if (count($loginCredentials) < 2) {
-            return false;
+            return [false, 'Invalid payload'];
         }
 
         list($user, $password) = $loginCredentials;
         try {
             /** @var LoginProvider $login */
             $login = LoginProvider::getProvider();
             $login->login($user, $password);
-            return $login->loggedInUserIdentifier;
+            return [true, $login->loggedInUserIdentifier];
         } catch (\Exception $exception) {
-            return false;
+            $message = '';
+
+            if ($exception instanceof LoginFailedException) {
+                $message = $exception->getPublicMessage();
+            }
+
+            return [false, $message];
         }
     }
 
@@ -143,15 +150,18 @@ public function registerRoutes(App $app)
             if ($request->getMethod() !== 'POST') {
                 throw new MethodNotAllowedException();
             }
-            if ($user = $self->authenticate($request)) {
+            
+            list($status, $authData) = $self->authenticate($request);
+            
+            if ($status) {
                 $expiry = new \DateTime();
                 $expiry->add(new\DateInterval('P1D'));
 
                 $data = [
                     'token' => JWT::encode(
                         [
                             'expires' => $expiry->getTimestamp(),
-                            'user' => $user,
+                            'user' => $authData,
                         ],
                         $self->secret,
                         $self->algorithm
@@ -163,6 +173,7 @@ public function registerRoutes(App $app)
                     ->withStatus(201, 'Created');
             } else {
                 return $response
+                    ->withJson(['message' => $authData])
                     ->withAddedHeader('WWW_Authenticate', 'Basic')
                     ->withStatus(401, 'Access Denied');
             }
