Merge pull request #4179 from tametsi/develop

Return generic auth error to prevent user enumeration attacks
2025-05-02 20:12:29 +00:00 · 2024-11-23 22:39:37 +10:00 · 2024-11-22 10:37:09 +01:00
1 changed files with 5 additions and 3 deletions
--- a/backend/internal/token.js
+++ b/backend/internal/token.js
@ -5,6 +5,8 @@ const authModel  = require('../models/auth');
 const helpers    = require('../lib/helpers');
 const TokenModel = require('../models/token');

+const ERROR_MESSAGE_INVALID_AUTH = 'Invalid email or password';
+
 module.exports = {

 	/**
@ -69,15 +71,15 @@ module.exports = {
 													};
 												});
 										} else {
-											throw new error.AuthError('Invalid password');
+											throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 										}
 									});
 							} else {
-								throw new error.AuthError('No password auth for user');
+								throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 							}
 						});
 				} else {
-					throw new error.AuthError('No relevant user found');
+					throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 				}
 			});
 	},
Author	SHA1	Message	Date
jc21	07a4e5791f	Merge pull request #4179 from tametsi/develop All checks were successful Close stale issues and PRs / stale (push) Successful in 4s Details Return generic auth error to prevent user enumeration attacks	2024-11-23 22:39:37 +10:00
tametsi	640a1eeb68	Return generic auth error to prevent user enumeration attacks On invalid user/password error the error message "Invalid email or password" is returned. Thereby, no information about the existence of the user is given.	2024-11-22 10:37:09 +01:00