summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjessib <jessib@riseup.net>2013-03-05 10:16:41 -0800
committerjessib <jessib@riseup.net>2013-03-05 10:16:41 -0800
commitf0ffc65aa38473ef280ed80526691d588f14c8de (patch)
tree1df9d9900872cf2e97d5c27b4175816eff5cbf80
parent87c306ea212c01ecc8f98009def5971fc4d5af11 (diff)
parent27c16ccceffa1d8eaaf02612cf29a60bfe6ced01 (diff)
Merge pull request #36 from leapcode/feature/limit_user_leak
When attempting to login, the error messages should not leak information...
-rw-r--r--users/config/locales/en.yml3
-rw-r--r--users/lib/warden/strategies/secure_remote_password.rb4
-rw-r--r--users/test/integration/api/Readme.md2
-rw-r--r--users/test/integration/api/account_flow_test.rb4
4 files changed, 6 insertions, 7 deletions
diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml
index 1b2789e..9e7d4b2 100644
--- a/users/config/locales/en.yml
+++ b/users/config/locales/en.yml
@@ -5,8 +5,7 @@ en:
cancel: "Cancel"
login: "Login"
login_message: "Please login with your account."
- wrong_password: "wrong password"
- user_not_found: "could not be found"
+ invalid_user_pass: "Not a valid username/password combination"
update_login_and_password: "Update Login and Password"
cancel_account: "Cancel your account"
remove_account: "Remove Account"
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 363e6a0..f1b1a57 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -28,7 +28,7 @@ module Warden
if client = validate
success!(User.find_by_login(client.username))
else
- fail!(:password => "wrong_password")
+ fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
end
end
@@ -44,7 +44,7 @@ module Warden
session[:handshake] = SRP::Session.new(client, params['A'].hex)
custom! json_response(session[:handshake])
else
- fail! :login => "user_not_found"
+ fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
end
end
diff --git a/users/test/integration/api/Readme.md b/users/test/integration/api/Readme.md
index 3a91f3d..04363bd 100644
--- a/users/test/integration/api/Readme.md
+++ b/users/test/integration/api/Readme.md
@@ -19,5 +19,5 @@ POST: http://localhost:9292/sessions
-> {"B":"1778367531e93a4c7713c76f67649f35a4211ebc520926ae8c3848cd66171651"}
PUT: http://localhost:9292/sessions/SWQ055
{"M": "123ABC"}
- -> {"field":"password","error":"wrong password"}
+ -> {"errors":[{"login":"Not a valid username/password combination"},{"password":"Not a valid username/password combination"}]}
```
diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index 314d71a..e618541 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -75,7 +75,7 @@ class AccountFlowTest < ActiveSupport::TestCase
test "signup and wrong password login attempt" do
srp = SRP::Client.new @login, :password => "wrong password"
server_auth = srp.authenticate(self)
- assert_json_error :password => "wrong password"
+ assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"})
assert !last_response.successful?
assert_nil server_auth["M2"]
end
@@ -86,7 +86,7 @@ class AccountFlowTest < ActiveSupport::TestCase
assert_raises RECORD_NOT_FOUND do
server_auth = srp.authenticate(self)
end
- assert_json_error :login => "could not be found"
+ assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"})
assert !last_response.successful?
assert_nil server_auth
end