Merge pull request #36 from leapcode/feature/limit_user_leak

When attempting to login, the error messages should not leak information...
author: jessib <jessib@riseup.net> 2013-03-05 10:16:41 -0800
committer: jessib <jessib@riseup.net> 2013-03-05 10:16:41 -0800
commit: f0ffc65aa38473ef280ed80526691d588f14c8de (patch)
tree: 1df9d9900872cf2e97d5c27b4175816eff5cbf80 /users/lib/warden
parent: 87c306ea212c01ecc8f98009def5971fc4d5af11 (diff)
parent: 27c16ccceffa1d8eaaf02612cf29a60bfe6ced01 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 363e6a0..f1b1a57 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -28,7 +28,7 @@ module Warden
         if client = validate
           success!(User.find_by_login(client.username))
         else
-          fail!(:password => "wrong_password")
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
         end
       end
 
@@ -44,7 +44,7 @@ module Warden
           session[:handshake] = SRP::Session.new(client, params['A'].hex)
           custom! json_response(session[:handshake])
         else
-          fail! :login => "user_not_found"
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
         end
       end
author	jessib <jessib@riseup.net>	2013-03-05 10:16:41 -0800
committer	jessib <jessib@riseup.net>	2013-03-05 10:16:41 -0800
commit	f0ffc65aa38473ef280ed80526691d588f14c8de (patch)
tree	1df9d9900872cf2e97d5c27b4175816eff5cbf80 /users/lib/warden
parent	87c306ea212c01ecc8f98009def5971fc4d5af11 (diff)
parent	27c16ccceffa1d8eaaf02612cf29a60bfe6ced01 (diff)