fix: clarify short token setup errors

ZengLiangYi · ZengLiangYi · commit e3a8a16697e2 · 2026-05-25T13:44:21.000+08:00
diff --git a/server/src/routes/setup.test.ts b/server/src/routes/setup.test.ts
@@ -110,6 +110,24 @@ test('setup complete rejects oversized and overlong public bodies without consum
   await app.close();
 });
 
+test('setup complete returns a clear error for short tokens without consuming setup code', async () => {
+  await auth.resetStoredAuthForLocalAdmin();
+  const setupCode = auth.getOrCreateSetupCode();
+  const app = Fastify();
+  await app.register(authRoutes);
+
+  const response = await app.inject({
+    method: 'POST',
+    url: '/api/setup/complete',
+    payload: { setupCode, token: 'short' },
+  });
+
+  assert.equal(response.statusCode, 400);
+  assert.equal(response.json().error, `Token must be at least ${auth.TOKEN_MIN_LENGTH} characters long`);
+  assert.equal(await auth.completeSetup(setupCode, 'valid-route-secret'), true);
+  await app.close();
+});
+
 test('token rotation rejects oversized and overlong public bodies before verification', async () => {
   await auth.resetStoredAuthForLocalAdmin();
   await auth.setStoredToken('current-route-secret');
diff --git a/server/src/routes/setup.ts b/server/src/routes/setup.ts
@@ -54,7 +54,7 @@ const setupCompleteRouteOptions = {
       additionalProperties: false,
       properties: {
         setupCode: { type: 'string', minLength: 1, maxLength: 128 },
-        token: { type: 'string', minLength: TOKEN_MIN_LENGTH, maxLength: TOKEN_MAX_LENGTH },
+        token: { type: 'string', minLength: 1, maxLength: TOKEN_MAX_LENGTH },
       },
     },
   },
@@ -69,12 +69,16 @@ const rotateTokenRouteOptions = {
       additionalProperties: false,
       properties: {
         currentToken: { type: 'string', minLength: 1, maxLength: TOKEN_MAX_LENGTH },
-        nextToken: { type: 'string', minLength: TOKEN_MIN_LENGTH, maxLength: TOKEN_MAX_LENGTH },
+        nextToken: { type: 'string', minLength: 1, maxLength: TOKEN_MAX_LENGTH },
       },
     },
   },
 } as const;
 
+function isTokenValidationError(err: unknown): boolean {
+  return err instanceof Error && /^Token must be /.test(err.message);
+}
+
 export async function authRoutes(app: FastifyInstance) {
   app.get('/api/setup/status', async (req) => {
     const token = bearerToken(req);
@@ -115,7 +119,7 @@ export async function authRoutes(app: FastifyInstance) {
       }
       return { success: true, data: { authenticated: true } };
     } catch (err) {
-      reply.status(429);
+      reply.status(isTokenValidationError(err) ? 400 : 429);
       return { success: false, error: err instanceof Error ? err.message : 'Setup failed' };
     }
   });
@@ -149,7 +153,7 @@ export async function authRoutes(app: FastifyInstance) {
         return { success: false, error: 'Current token is invalid' };
       }
     } catch (err) {
-      reply.status(409);
+      reply.status(isTokenValidationError(err) ? 400 : 409);
       return { success: false, error: err instanceof Error ? err.message : 'Token rotation failed' };
     }
     return { success: true, data: { rotated: true } };
