Fix: Return 401 instead of 500 for empty credentials (issue #40)

Copilot · stanleykc · Copilot · commit cb664e21cbd8 · 2026-01-07T03:24:06.000Z
Co-authored-by: stanleykc &lt;3931811+stanleykc@users.noreply.github.com&gt;
diff --git a/UnityAuth/src/main/java/io/unityfoundation/auth/UnityAuthenticationProvider.java b/UnityAuth/src/main/java/io/unityfoundation/auth/UnityAuthenticationProvider.java
@@ -59,7 +59,13 @@ private User findUser(AuthenticationRequest<?, ?> authRequest) {
   @Override
   public @NonNull Publisher<AuthenticationResponse> authenticate(
       @NonNull AuthenticationRequest<Object, Object> authenticationRequest) {
-            return Mono.fromCallable(() -> findUser(authenticationRequest))
+    if (authenticationRequest.getIdentity() == null ||
+        authenticationRequest.getIdentity().toString().isEmpty() ||
+        authenticationRequest.getSecret() == null ||
+        authenticationRequest.getSecret().toString().isEmpty()) {
+      return Mono.just(AuthenticationResponse.failure(CREDENTIALS_DO_NOT_MATCH.toString()));
+    }
+    return Mono.fromCallable(() -> findUser(authenticationRequest))
         .subscribeOn(Schedulers.boundedElastic())
         .flatMap(user -> {
           AuthenticationFailed authenticationFailed = validate(user, authenticationRequest);
diff --git a/UnityAuth/src/test/java/io/unityfoundation/UnityIamTest.java b/UnityAuth/src/test/java/io/unityfoundation/UnityIamTest.java
@@ -8,6 +8,7 @@
 import io.micronaut.http.HttpResponse;
 import io.micronaut.http.HttpStatus;
 import io.micronaut.http.client.HttpClient;
+import io.micronaut.http.client.exceptions.HttpClientResponseException;
 import io.micronaut.http.client.annotation.Client;
 import io.micronaut.security.authentication.UsernamePasswordCredentials;
 import io.micronaut.security.token.render.BearerAccessRefreshToken;
@@ -311,4 +312,22 @@ private String login(String username) {
     BearerAccessRefreshToken bearer = rsp.body();
     return bearer.getAccessToken();
   }
+
+  @Test
+  void login_failsWithEmptyPassword() {
+    UsernamePasswordCredentials creds = new UsernamePasswordCredentials("person1@test.io", "");
+    HttpRequest<?> request = HttpRequest.POST("/api/login", creds);
+    HttpClientResponseException exception = assertThrows(HttpClientResponseException.class, () ->
+        client.toBlocking().exchange(request, BearerAccessRefreshToken.class));
+    assertEquals(HttpStatus.UNAUTHORIZED, exception.getStatus());
+  }
+
+  @Test
+  void login_failsWithEmptyUsername() {
+    UsernamePasswordCredentials creds = new UsernamePasswordCredentials("", "test");
+    HttpRequest<?> request = HttpRequest.POST("/api/login", creds);
+    HttpClientResponseException exception = assertThrows(HttpClientResponseException.class, () ->
+        client.toBlocking().exchange(request, BearerAccessRefreshToken.class));
+    assertEquals(HttpStatus.UNAUTHORIZED, exception.getStatus());
+  }
 }
