From ff934b73fefa3104d1fef1d44845badd7415c6a4 Mon Sep 17 00:00:00 2001
From: Sebastian Wagner <wagner@cert.at>
Date: Tue, 24 Aug 2021 18:39:34 +0200
Subject: [PATCH] BUG: api session: better error message with disabled session
 storage

the error message when the session storage was disabled was misleading
as it suggested wrong credentials, but actually no login is required and
possible.

the intelmq-manager shows a fixed error message and needs a fix as well
---
 CHANGELOG.rst      | 2 +-
 intelmq_api/api.py | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c7074d0..2f18034 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,7 +8,7 @@ CHANGELOG
 
 3.0.1 (unreleased)
 ------------------
-
+- Return a matching error message if the session storage is disabled and therefore a login is not possible (PR#36 by Sebastian Wagner, fixes #35).
 
 3.0.0 (2021-07-07)
 ------------------
diff --git a/intelmq_api/api.py b/intelmq_api/api.py
index 6a7ff50..ff36f33 100644
--- a/intelmq_api/api.py
+++ b/intelmq_api/api.py
@@ -185,14 +185,17 @@ def config(response, file: str, fetch: bool=False):
 
 @hug.post("/api/login", versions=1)
 def login(username: str, password: str):
-    if session_store is not None:
+    if session_store is None:
+        return {"error": "Session store is disabled by configuration! No login possible and required."}
+    else:
         known = session_store.verify_user(username, password)
         if known is not None:
             token = session_store.new_session({"username": username})
             return {"login_token": token,
                     "username": username,
                     }
-    return "Invalid username and/or password"
+        else:
+            return {"error": "Invalid username and/or password."}
 
 
 @hug.get("/api/harmonization", requires=token_authentication, versions=1)