[-] return HTTP 405 for non-POST methods in login handler (#1226)

gemy26 · pashagolub · web-flow · commit 98d166e0c46c · 2026-02-24T17:15:28.000+01:00
* Added default case for unsupported methods in login handler

* fix tests

---------

Co-authored-by: Pavlo Golub &lt;pavlo.golub@gmail.com&gt;
diff --git a/internal/webserver/jwt.go b/internal/webserver/jwt.go
@@ -2,7 +2,6 @@ package webserver
 
 import (
 	"errors"
-	"fmt"
 	"net/http"
 	"time"
 
@@ -48,8 +47,9 @@ func (s *WebUIServer) handleLogin(w http.ResponseWriter, r *http.Request) {
 		}
 		_, err = w.Write([]byte(token))
 
-	case "GET":
-		fmt.Fprintf(w, "only POST methods is allowed.")
+	default:
+		w.Header().Set("Allow", "POST")
+		http.Error(w, "only POST method is allowed", http.StatusMethodNotAllowed)
 		return
 	}
 }
diff --git a/internal/webserver/jwt_test.go b/internal/webserver/jwt_test.go
@@ -59,9 +59,7 @@ func TestHandleLogin_GET(t *testing.T) {
 	w := httptest.NewRecorder()
 	ts.handleLogin(w, r)
 	resp := w.Result()
-	assert.Equal(t, http.StatusOK, resp.StatusCode)
-	body, _ := io.ReadAll(resp.Body)
-	assert.Equal(t, "only POST methods is allowed.", string(body))
+	assert.Equal(t, http.StatusMethodNotAllowed, resp.StatusCode)
 }
 
 func TestGenerateAndValidateJWT(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ package webserver`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"errors"`
`5`		`- "fmt"`
`6`	`5`	`"net/http"`
`7`	`6`	`"time"`
`8`	`7`
`@@ -48,8 +47,9 @@ func (s WebUIServer) handleLogin(w http.ResponseWriter, r http.Request) {`
`48`	`47`	`}`
`49`	`48`	`_, err = w.Write([]byte(token))`
`50`	`49`
`51`		`- case "GET":`
`52`		`- fmt.Fprintf(w, "only POST methods is allowed.")`
	`50`	`+ default:`
	`51`	`+ w.Header().Set("Allow", "POST")`
	`52`	`+ http.Error(w, "only POST method is allowed", http.StatusMethodNotAllowed)`
`53`	`53`	`return`
`54`	`54`	`}`
`55`	`55`	`}`