When attempting to login, the error messages should not leak information about whether a username is valid.

This also means the error message is more appropriate if somebody tries to login with somebody else's username and their password.
author: jessib <jessib@leap.se> 2013-02-28 11:54:24 -0800
committer: jessib <jessib@leap.se> 2013-02-28 11:54:24 -0800
commit: a1279ecca51fbe7014d841ed6bca8842d3441814 (patch)
tree: 0ed069bda6e312268714a8cb69f0e167b71d816b /users/lib
parent: 97fe2b4d19edacf2ea67c7efcfbec50feca305b0 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 483336d..5032914 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -26,9 +26,11 @@ module Warden
 
       def validate!
         client = session[:handshake].authenticate(params['client_auth'].hex)
-        client ?
-          success!(User.find_by_login(client.username)) :
-          fail!(:password => "wrong_password")
+        if client
+          success!(User.find_by_login(client.username))
+        else
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
+        end
       end
 
       def initialize!
@@ -39,7 +41,7 @@ module Warden
           session[:handshake] = SRP::Session.new(client, params['A'].hex)
           custom! json_response(session[:handshake])
         else
-          fail! :login => "user_not_found"
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
         end
       end
author	jessib <jessib@leap.se>	2013-02-28 11:54:24 -0800
committer	jessib <jessib@leap.se>	2013-02-28 11:54:24 -0800
commit	a1279ecca51fbe7014d841ed6bca8842d3441814 (patch)
tree	0ed069bda6e312268714a8cb69f0e167b71d816b /users/lib
parent	97fe2b4d19edacf2ea67c7efcfbec50feca305b0 (diff)