Update login to return 400 bad request instead of 404 not found for unknown login ID to prevent revealing existence

Author: tjementum

application/account-management/Core/Features/Authentication/Commands/CompleteLogin.cs

@@ -34,7 +34,11 @@ public async Task<Result> Handle(CompleteLoginCommand command, CancellationToken
     {
         var login = await loginRepository.GetByIdAsync(command.Id, cancellationToken);
 
-        if (login is null) return Result.NotFound($"Login with id '{command.Id}' not found.");
+        if (login is null)
+        {
+            // For security, avoid confirming the existence of login IDs
+            return Result.BadRequest("The code is wrong or no longer valid.");
+        }
 
         if (login.Completed)
         {

application/account-management/Tests/Authentication/CompleteLoginTests.cs

@@ -47,7 +47,7 @@ public async Task CompleteLogin_WhenValid_ShouldCompleteLoginAndCreateTokens()
     }
 
     [Fact]
-    public async Task CompleteLogin_WhenLoginNotFound_ShouldReturnNotFound()
+    public async Task CompleteLogin_WhenLoginNotFound_ShouldReturnBadRequest()
     {
         // Arrange
         var invalidLoginId = LoginId.NewId();
@@ -57,8 +57,7 @@ public async Task CompleteLogin_WhenLoginNotFound_ShouldReturnNotFound()
         var response = await AnonymousHttpClient.PostAsJsonAsync($"/api/account-management/authentication/login/{invalidLoginId}/complete", command);
 
         // Assert
-        var expectedDetail = $"Login with id '{invalidLoginId}' not found.";
-        await response.ShouldHaveErrorStatusCode(HttpStatusCode.NotFound, expectedDetail);
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.BadRequest, "The code is wrong or no longer valid.");
 
         TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeFalse();
         TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();