From 6b12a45a958b6eb2175d4071156d9039399c8d7a Mon Sep 17 00:00:00 2001
From: Blake Blackshear <blake@frigate.video>
Date: Tue, 10 Dec 2024 07:42:55 -0600
Subject: [PATCH] return 401 for login failures (#15432)

* return 401 for login failures

* only setup the rate limiter when configured
---
 frigate/api/auth.py                  | 4 ++--
 frigate/api/fastapi_app.py           | 6 +++++-
 web/src/api/index.tsx                | 7 +++++--
 web/src/components/auth/AuthForm.tsx | 2 +-
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 8f0fead853..be59174504 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -329,7 +329,7 @@ def login(request: Request, body: AppPostLoginBody):
     try:
         db_user: User = User.get_by_id(user)
     except DoesNotExist:
-        return JSONResponse(content={"message": "Login failed"}, status_code=400)
+        return JSONResponse(content={"message": "Login failed"}, status_code=401)
 
     password_hash = db_user.password_hash
     if verify_password(password, password_hash):
@@ -340,7 +340,7 @@ def login(request: Request, body: AppPostLoginBody):
             response, JWT_COOKIE_NAME, encoded_jwt, expiration, JWT_COOKIE_SECURE
         )
         return response
-    return JSONResponse(content={"message": "Login failed"}, status_code=400)
+    return JSONResponse(content={"message": "Login failed"}, status_code=401)
 
 
 @router.get("/users")
diff --git a/frigate/api/fastapi_app.py b/frigate/api/fastapi_app.py
index e3542458ef..168404ea61 100644
--- a/frigate/api/fastapi_app.py
+++ b/frigate/api/fastapi_app.py
@@ -87,7 +87,11 @@ async def startup():
         logger.info("FastAPI started")
 
     # Rate limiter (used for login endpoint)
-    auth.rateLimiter.set_limit(frigate_config.auth.failed_login_rate_limit or "")
+    if frigate_config.auth.failed_login_rate_limit is None:
+        limiter.enabled = False
+    else:
+        auth.rateLimiter.set_limit(frigate_config.auth.failed_login_rate_limit)
+
     app.state.limiter = limiter
     app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
     app.add_middleware(SlowAPIMiddleware)
diff --git a/web/src/api/index.tsx b/web/src/api/index.tsx
index 3ac8806c72..a9044a6d7f 100644
--- a/web/src/api/index.tsx
+++ b/web/src/api/index.tsx
@@ -29,8 +29,11 @@ export function ApiProvider({ children, options }: ApiProviderType) {
             error.response &&
             [401, 302, 307].includes(error.response.status)
           ) {
-            window.location.href =
-              error.response.headers.get("location") ?? "login";
+            // redirect to the login page if not already there
+            const loginPage = error.response.headers.get("location") ?? "login";
+            if (window.location.href !== loginPage) {
+              window.location.href = loginPage;
+            }
           }
         },
         ...options,
diff --git a/web/src/components/auth/AuthForm.tsx b/web/src/components/auth/AuthForm.tsx
index 9daa929662..99ce37283d 100644
--- a/web/src/components/auth/AuthForm.tsx
+++ b/web/src/components/auth/AuthForm.tsx
@@ -63,7 +63,7 @@ export function UserAuthForm({ className, ...props }: UserAuthFormProps) {
           toast.error("Exceeded rate limit. Try again later.", {
             position: "top-center",
           });
-        } else if (err.response?.status === 400) {
+        } else if (err.response?.status === 401) {
           toast.error("Login failed", {
             position: "top-center",
           });