fix bugs from todo except first critical

http.go

@@ -7,6 +7,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"golang.org/x/crypto/bcrypt"
 )
 
 func isMethodAllowed(response *http.ResponseWriter, request *http.Request) bool {
@@ -53,6 +55,7 @@ func HttpHandleNewUser(response http.ResponseWriter, request *http.Request) {
 	color, err := parseRgb(request.FormValue("color"))
 	if err != nil {
 		http.Error(response, "bad color", http.StatusBadRequest)
+		return
 	}
 
 	hashedPassword, err := PasswordHash(password)
@@ -95,7 +98,9 @@ func HttpHandleLogin(response http.ResponseWriter, request *http.Request) {
 		return
 	}
 
-	if len(username) < 8 {
+	password := request.FormValue("password")
+
+	if len(password) < 8 {
 		http.Error(response, "no or short password", http.StatusBadRequest)
 		return
 	}
@@ -110,12 +115,18 @@ func HttpHandleLogin(response http.ResponseWriter, request *http.Request) {
 	if err != nil {
 		err := DbSetClientByName(ctx, client)
 		if err != nil {
-			http.Error(response, "bad login", http.StatusBadRequest)
+			http.Error(response, "bad login", http.StatusUnauthorized)
 			return
 		}
 		CacheSetClient(client)
 	}
 
+	err = bcrypt.CompareHashAndPassword([]byte(client.PasswordHash), []byte(password))
+	if err != nil {
+		http.Error(response, "bad login", http.StatusUnauthorized)
+		return
+	}
+
 	token, err := TokenCreate(client.Id)
 	if err != nil {
 		http.Error(response, "internal server error", http.StatusInternalServerError)