While testing the auth handlers I noticed handlers/centrehead_auth.go CentreHeadLogin returns status codes that differ from the equivalent faculty/warden/admin handlers.
1. Wrong password returns 403 instead of 401:
err := bcrypt.CompareHashAndPassword([]byte(head.Password), []byte(inputs.Password))
if err != nil {
c.JSON(403, gin.H{"error": "incorrect password"}) // FacultyLogin/WardenLogin/AdminLogin use 401
return
}A failed credential check should be 401 Unauthorized; 403 Forbidden implies the caller is authenticated but not allowed.
2. Non-"record not found" DB error returns 404 instead of 500:
result := h.DB.Where("email = ?", inputs.Email).Take(&head)
if result.Error != nil {
if errors.Is(result.Error, gorm.ErrRecordNotFound) {
c.JSON(404, gin.H{"error": "user not found"})
return
}
c.JSON(404, gin.H{"error": "internal server error"}) // <-- should be 500
return
}The fallback branch reports 404 with an "internal server error" message — a genuine DB failure should surface as 500.
Fix
Use 401 for the bad-password branch and 500 for the unexpected-DB-error branch, matching the other login handlers.
(Not a bug, but related: the no-arg API contract would benefit from consistent status codes across all four login handlers.)
While testing the auth handlers I noticed
handlers/centrehead_auth.goCentreHeadLoginreturns status codes that differ from the equivalent faculty/warden/admin handlers.1. Wrong password returns
403instead of401:A failed credential check should be
401 Unauthorized;403 Forbiddenimplies the caller is authenticated but not allowed.2. Non-"record not found" DB error returns
404instead of500:The fallback branch reports
404with an "internal server error" message — a genuine DB failure should surface as500.Fix
Use
401for the bad-password branch and500for the unexpected-DB-error branch, matching the other login handlers.(Not a bug, but related: the no-arg API contract would benefit from consistent status codes across all four login handlers.)