From e7fe66a23ed367e54c5e553c463377e7c6e20b1e Mon Sep 17 00:00:00 2001
From: Brad Murray <bradtgmurray@gmail.com>
Date: Fri, 25 Jul 2025 16:48:09 -0400
Subject: [PATCH] login: wrap some common errors to return 400 instead of 500
 (#114)

---
 pkg/connector/login.go         | 19 +++++++++++++++++++
 pkg/connector/loginphone.go    |  7 ++++++-
 pkg/connector/loginqr.go       |  4 ++++
 pkg/gotd/telegram/auth/user.go |  8 +++++++-
 4 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/pkg/connector/login.go b/pkg/connector/login.go
index b515ee05..c475886c 100644
--- a/pkg/connector/login.go
+++ b/pkg/connector/login.go
@@ -19,6 +19,7 @@ package connector
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strings"
 
 	"maunium.net/go/mautrix/bridgev2"
@@ -38,6 +39,24 @@ const (
 	LoginStepIDComplete = "fi.mau.telegram.login.complete"
 )
 
+var (
+	ErrInvalidPassword = bridgev2.RespError{
+		ErrCode:    "FI.MAU.TELEGRAM.INVALID_PASSWORD",
+		Err:        "Invalid password",
+		StatusCode: http.StatusBadRequest,
+	}
+	ErrPhoneCodeInvalid = bridgev2.RespError{
+		ErrCode:    "FI.MAU.TELEGRAM.PHONE_CODE_INVALID",
+		Err:        "Invalid phone code",
+		StatusCode: http.StatusBadRequest,
+	}
+	ErrSignUpNotSupported = bridgev2.RespError{
+		ErrCode:    "FI.MAU.TELEGRAM.SIGN_UP_NOT_SUPPORTED",
+		Err:        "New account creation is not supported",
+		StatusCode: http.StatusBadRequest,
+	}
+)
+
 func (tg *TelegramConnector) GetLoginFlows() []bridgev2.LoginFlow {
 	return []bridgev2.LoginFlow{
 		{
diff --git a/pkg/connector/loginphone.go b/pkg/connector/loginphone.go
index 5568fc92..e9a49fb9 100644
--- a/pkg/connector/loginphone.go
+++ b/pkg/connector/loginphone.go
@@ -152,8 +152,10 @@ func (p *PhoneLogin) SubmitUserInput(ctx context.Context, input map[string]strin
 					},
 				},
 			}, nil
+		} else if errors.Is(err, auth.ErrPhoneCodeInvalid) {
+			return nil, ErrPhoneCodeInvalid
 		} else if errors.Is(err, &auth.SignUpRequired{}) {
-			return nil, fmt.Errorf("sign-up is not supported")
+			return nil, ErrSignUpNotSupported
 		} else if err != nil {
 			return nil, fmt.Errorf("failed to submit code: %w", err)
 		}
@@ -161,6 +163,9 @@ func (p *PhoneLogin) SubmitUserInput(ctx context.Context, input map[string]strin
 	} else if password, ok := input[LoginStepIDPassword]; ok {
 		authorization, err := p.authClient.Auth().Password(p.authClientCtx, password)
 		if err != nil {
+			if errors.Is(err, auth.ErrPasswordInvalid) {
+				return nil, ErrInvalidPassword
+			}
 			return nil, fmt.Errorf("failed to submit password: %w", err)
 		}
 		return p.handleAuthSuccess(ctx, authorization)
diff --git a/pkg/connector/loginqr.go b/pkg/connector/loginqr.go
index 884eb6f8..d1024f22 100644
--- a/pkg/connector/loginqr.go
+++ b/pkg/connector/loginqr.go
@@ -29,6 +29,7 @@ import (
 	"maunium.net/go/mautrix/bridgev2"
 
 	"go.mau.fi/mautrix-telegram/pkg/gotd/telegram"
+	"go.mau.fi/mautrix-telegram/pkg/gotd/telegram/auth"
 	"go.mau.fi/mautrix-telegram/pkg/gotd/telegram/auth/qrlogin"
 	"go.mau.fi/mautrix-telegram/pkg/gotd/telegram/updates"
 	"go.mau.fi/mautrix-telegram/pkg/gotd/tg"
@@ -193,6 +194,9 @@ func (q *QRLogin) SubmitUserInput(ctx context.Context, input map[string]string)
 	}
 	authorization, err := q.authClient.Auth().Password(q.authClientCtx, password)
 	if err != nil {
+		if errors.Is(err, auth.ErrPasswordInvalid) {
+			return nil, ErrInvalidPassword
+		}
 		return nil, fmt.Errorf("failed to submit password: %w", err)
 	}
 
diff --git a/pkg/gotd/telegram/auth/user.go b/pkg/gotd/telegram/auth/user.go
index 6c549027..2fa2441d 100644
--- a/pkg/gotd/telegram/auth/user.go
+++ b/pkg/gotd/telegram/auth/user.go
@@ -91,7 +91,10 @@ func (c *Client) SendCode(ctx context.Context, phone string, options SendCodeOpt
 // ErrPasswordAuthNeeded means that 2FA auth is required.
 //
 // Call Client.Password to provide 2FA password.
-var ErrPasswordAuthNeeded = errors.New("2FA required")
+var (
+	ErrPasswordAuthNeeded = errors.New("2FA required")
+	ErrPhoneCodeInvalid   = errors.New("Phone code invalid")
+)
 
 // SignIn performs sign in with provided user phone, code and code hash.
 //
@@ -108,6 +111,9 @@ func (c *Client) SignIn(ctx context.Context, phone, code, codeHash string) (*tg.
 	if tgerr.Is(err, "SESSION_PASSWORD_NEEDED") {
 		return nil, ErrPasswordAuthNeeded
 	}
+	if tgerr.Is(err, "PHONE_CODE_INVALID") {
+		return nil, ErrPasswordAuthNeeded
+	}
 	if err != nil {
 		return nil, errors.Wrap(err, "sign in")
 	}