diff --git a/hscontrol/db/preauth_keys.go b/hscontrol/db/preauth_keys.go index 00676726..c8369f79 100644 --- a/hscontrol/db/preauth_keys.go +++ b/hscontrol/db/preauth_keys.go @@ -15,7 +15,10 @@ import ( ) var ( - ErrPreAuthKeyNotFound = errors.New("auth-key not found") + // ErrPreAuthKeyNotFound wraps gorm.ErrRecordNotFound so an unknown or + // deleted key is treated as a missing record by callers, which the + // registration handler maps to a 401 rather than a raw server error. + ErrPreAuthKeyNotFound = fmt.Errorf("auth-key not found: %w", gorm.ErrRecordNotFound) ErrPreAuthKeyExpired = errors.New("auth-key expired") ErrSingleUseAuthKeyHasBeenUsed = errors.New("auth-key has already been used") ErrUserMismatch = errors.New("user mismatch") diff --git a/hscontrol/db/preauth_keys_test.go b/hscontrol/db/preauth_keys_test.go index 25bec17e..c152959c 100644 --- a/hscontrol/db/preauth_keys_test.go +++ b/hscontrol/db/preauth_keys_test.go @@ -487,3 +487,16 @@ func TestUsePreAuthKeyAtomicCAS(t *testing.T) { "second UsePreAuthKey error must be a PAKError, got: %v", err) assert.Equal(t, "authkey already used", pakErr.Error()) } + +// TestGetPreAuthKeyUnknownMapsToRecordNotFound ensures an unknown (or deleted) +// pre-auth key resolves to a record-not-found error, which the registration +// handler maps to a 401 rather than a raw server error. +func TestGetPreAuthKeyUnknownMapsToRecordNotFound(t *testing.T) { + db, err := newSQLiteTestDB() + require.NoError(t, err) + + _, err = db.GetPreAuthKey("nonexistent-key") + require.Error(t, err) + require.ErrorIs(t, err, gorm.ErrRecordNotFound, + "unknown pre-auth key must map to record-not-found (handled as 401)") +}