From 336707eaa153703e35a1e70ec54204ce10fe4f58 Mon Sep 17 00:00:00 2001
From: MadDogOwner <xiaoran@xrgzs.top>
Date: Thu, 19 Feb 2026 15:23:53 +0800
Subject: [PATCH 1/2] chore(handles/auth): improve error response

Signed-off-by: MadDogOwner <xiaoran@xrgzs.top>
---
 internal/model/user.go | 10 +++++++++-
 server/handles/auth.go | 18 +++++++++---------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/internal/model/user.go b/internal/model/user.go
index 640e3b2e3..3bad4ebb9 100644
--- a/internal/model/user.go
+++ b/internal/model/user.go
@@ -20,7 +20,15 @@ const (
 	ADMIN
 )
 
-const StaticHashSalt = "https://github.com/alist-org/alist"
+const (
+	StaticHashSalt = "https://github.com/alist-org/alist"
+
+	InvalidUsernameOrPassword = "Invalid username or password"
+	Invalid2FACode            = "Invalid 2FA code"
+	TooManyAttempts           = "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later."
+	GuestCannotUpdateProfile  = "Guest user can not update profile"
+	GuestCannotGenerate2FA    = "Guest user can not generate 2FA code"
+)
 
 var LoginCache = cache.NewMemCache[int]()
 
diff --git a/server/handles/auth.go b/server/handles/auth.go
index 35776ba6a..d4d452244 100644
--- a/server/handles/auth.go
+++ b/server/handles/auth.go
@@ -45,27 +45,27 @@ func loginHash(c *gin.Context, req *LoginReq) {
 	ip := c.ClientIP()
 	count, ok := model.LoginCache.Get(ip)
 	if ok && count >= model.DefaultMaxAuthRetries {
-		common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
+		common.ErrorStrResp(c, model.TooManyAttempts, 429)
 		model.LoginCache.Expire(ip, model.DefaultLockDuration)
 		return
 	}
 	// check username
 	user, err := op.GetUserByName(req.Username)
 	if err != nil {
-		common.ErrorResp(c, err, 400)
+		common.ErrorStrResp(c, model.InvalidUsernameOrPassword, 401)
 		model.LoginCache.Set(ip, count+1)
 		return
 	}
 	// validate password hash
 	if err := user.ValidatePwdStaticHash(req.Password); err != nil {
-		common.ErrorResp(c, err, 400)
+		common.ErrorStrResp(c, model.InvalidUsernameOrPassword, 401)
 		model.LoginCache.Set(ip, count+1)
 		return
 	}
 	// check 2FA
 	if user.OtpSecret != "" {
 		if !totp.Validate(req.OtpCode, user.OtpSecret) {
-			common.ErrorStrResp(c, "Invalid 2FA code", 402)
+			common.ErrorStrResp(c, model.Invalid2FACode, 401)
 			model.LoginCache.Set(ip, count+1)
 			return
 		}
@@ -73,7 +73,7 @@ func loginHash(c *gin.Context, req *LoginReq) {
 	// generate token
 	token, err := common.GenerateToken(user)
 	if err != nil {
-		common.ErrorResp(c, err, 400, true)
+		common.ErrorResp(c, err, 500, true)
 		return
 	}
 	common.SuccessResp(c, gin.H{"token": token})
@@ -107,7 +107,7 @@ func UpdateCurrent(c *gin.Context) {
 	}
 	user := c.Request.Context().Value(conf.UserKey).(*model.User)
 	if user.IsGuest() {
-		common.ErrorStrResp(c, "Guest user can not update profile", 403)
+		common.ErrorStrResp(c, model.GuestCannotUpdateProfile, 403)
 		return
 	}
 	user.Username = req.Username
@@ -125,7 +125,7 @@ func UpdateCurrent(c *gin.Context) {
 func Generate2FA(c *gin.Context) {
 	user := c.Request.Context().Value(conf.UserKey).(*model.User)
 	if user.IsGuest() {
-		common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)
+		common.ErrorStrResp(c, model.GuestCannotGenerate2FA, 403)
 		return
 	}
 	key, err := totp.Generate(totp.GenerateOpts{
@@ -164,11 +164,11 @@ func Verify2FA(c *gin.Context) {
 	}
 	user := c.Request.Context().Value(conf.UserKey).(*model.User)
 	if user.IsGuest() {
-		common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)
+		common.ErrorStrResp(c, model.GuestCannotGenerate2FA, 403)
 		return
 	}
 	if !totp.Validate(req.Code, req.Secret) {
-		common.ErrorStrResp(c, "Invalid 2FA code", 400)
+		common.ErrorStrResp(c, model.Invalid2FACode, 400)
 		return
 	}
 	user.OtpSecret = req.Secret

From c2c4c84c4706d2c943c6874cb32a7cfb11cf381d Mon Sep 17 00:00:00 2001
From: MadDogOwner <xiaoran@xrgzs.top>
Date: Thu, 19 Feb 2026 17:11:40 +0800
Subject: [PATCH 2/2] Apply suggestion from @xrgzs

Signed-off-by: MadDogOwner <xiaoran@xrgzs.top>
---
 server/handles/auth.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/handles/auth.go b/server/handles/auth.go
index d4d452244..780069091 100644
--- a/server/handles/auth.go
+++ b/server/handles/auth.go
@@ -65,7 +65,8 @@ func loginHash(c *gin.Context, req *LoginReq) {
 	// check 2FA
 	if user.OtpSecret != "" {
 		if !totp.Validate(req.OtpCode, user.OtpSecret) {
-			common.ErrorStrResp(c, model.Invalid2FACode, 401)
+			// 402 - need opt
+			common.ErrorStrResp(c, model.Invalid2FACode, 402)
 			model.LoginCache.Set(ip, count+1)
 			return
 		}