From 9a6ed2c8c877eacf712b9a6251be8417dc02457e Mon Sep 17 00:00:00 2001
From: Juliusz Chroboczek <jch@irif.fr>
Date: Wed, 4 Dec 2024 13:32:51 +0100
Subject: [PATCH] Return 404 errors for tokens in unknown groups.

---
 webserver/api.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/webserver/api.go b/webserver/api.go
index 2cd4da1..186d94d 100644
--- a/webserver/api.go
+++ b/webserver/api.go
@@ -500,6 +500,12 @@ func tokensHandler(w http.ResponseWriter, r *http.Request, g, pth string) {
 	if !checkAdmin(w, r) {
 		return
 	}
+	// check that the group exists
+	_, err := group.GetDescription(g)
+	if err != nil {
+		httpError(w, err)
+		return
+	}
 	if pth == "/" {
 		if r.Method == "HEAD" || r.Method == "GET" {
 			tokens, etag, err := token.List(g)