diff options
| author | jessib <jessib@leap.se> | 2013-02-28 11:54:24 -0800 |
|---|---|---|
| committer | jessib <jessib@leap.se> | 2013-02-28 11:54:24 -0800 |
| commit | a1279ecca51fbe7014d841ed6bca8842d3441814 (patch) | |
| tree | 0ed069bda6e312268714a8cb69f0e167b71d816b /users/lib/warden | |
| parent | 97fe2b4d19edacf2ea67c7efcfbec50feca305b0 (diff) | |
When attempting to login, the error messages should not leak information about whether a username is valid.
This also means the error message is more appropriate if somebody tries to login with somebody else's username and their password.
Diffstat (limited to 'users/lib/warden')
| -rw-r--r-- | users/lib/warden/strategies/secure_remote_password.rb | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb index 483336d..5032914 100644 --- a/users/lib/warden/strategies/secure_remote_password.rb +++ b/users/lib/warden/strategies/secure_remote_password.rb @@ -26,9 +26,11 @@ module Warden def validate! client = session[:handshake].authenticate(params['client_auth'].hex) - client ? - success!(User.find_by_login(client.username)) : - fail!(:password => "wrong_password") + if client + success!(User.find_by_login(client.username)) + else + fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"}) + end end def initialize! @@ -39,7 +41,7 @@ module Warden session[:handshake] = SRP::Session.new(client, params['A'].hex) custom! json_response(session[:handshake]) else - fail! :login => "user_not_found" + fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"}) end end |