From a1279ecca51fbe7014d841ed6bca8842d3441814 Mon Sep 17 00:00:00 2001 From: jessib Date: Thu, 28 Feb 2013 11:54:24 -0800 Subject: When attempting to login, the error messages should not leak information about whether a username is valid. This also means the error message is more appropriate if somebody tries to login with somebody else's username and their password. --- users/config/locales/en.yml | 1 + users/lib/warden/strategies/secure_remote_password.rb | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml index 1b2789e..c1512eb 100644 --- a/users/config/locales/en.yml +++ b/users/config/locales/en.yml @@ -7,6 +7,7 @@ en: login_message: "Please login with your account." wrong_password: "wrong password" user_not_found: "could not be found" + invalid_user_pass: "Not a valid username/password combination" update_login_and_password: "Update Login and Password" cancel_account: "Cancel your account" remove_account: "Remove Account" diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb index 483336d..5032914 100644 --- a/users/lib/warden/strategies/secure_remote_password.rb +++ b/users/lib/warden/strategies/secure_remote_password.rb @@ -26,9 +26,11 @@ module Warden def validate! client = session[:handshake].authenticate(params['client_auth'].hex) - client ? - success!(User.find_by_login(client.username)) : - fail!(:password => "wrong_password") + if client + success!(User.find_by_login(client.username)) + else + fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"}) + end end def initialize! @@ -39,7 +41,7 @@ module Warden session[:handshake] = SRP::Session.new(client, params['A'].hex) custom! json_response(session[:handshake]) else - fail! :login => "user_not_found" + fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"}) end end -- cgit v1.2.3 From 733426aa3992dafaf1c58ede7e74018057a01148 Mon Sep 17 00:00:00 2001 From: jessib Date: Mon, 4 Mar 2013 11:37:56 -0800 Subject: Update tests and documentation to reflect changed error messages with incorrect username or password on login attempt. --- users/config/locales/en.yml | 2 -- users/test/integration/api/Readme.md | 2 +- users/test/integration/api/account_flow_test.rb | 4 ++-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml index c1512eb..9e7d4b2 100644 --- a/users/config/locales/en.yml +++ b/users/config/locales/en.yml @@ -5,8 +5,6 @@ en: cancel: "Cancel" login: "Login" login_message: "Please login with your account." - wrong_password: "wrong password" - user_not_found: "could not be found" invalid_user_pass: "Not a valid username/password combination" update_login_and_password: "Update Login and Password" cancel_account: "Cancel your account" diff --git a/users/test/integration/api/Readme.md b/users/test/integration/api/Readme.md index 3a91f3d..04363bd 100644 --- a/users/test/integration/api/Readme.md +++ b/users/test/integration/api/Readme.md @@ -19,5 +19,5 @@ POST: http://localhost:9292/sessions -> {"B":"1778367531e93a4c7713c76f67649f35a4211ebc520926ae8c3848cd66171651"} PUT: http://localhost:9292/sessions/SWQ055 {"M": "123ABC"} - -> {"field":"password","error":"wrong password"} + -> {"errors":[{"login":"Not a valid username/password combination"},{"password":"Not a valid username/password combination"}]} ``` diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index 314d71a..e618541 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -75,7 +75,7 @@ class AccountFlowTest < ActiveSupport::TestCase test "signup and wrong password login attempt" do srp = SRP::Client.new @login, :password => "wrong password" server_auth = srp.authenticate(self) - assert_json_error :password => "wrong password" + assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"}) assert !last_response.successful? assert_nil server_auth["M2"] end @@ -86,7 +86,7 @@ class AccountFlowTest < ActiveSupport::TestCase assert_raises RECORD_NOT_FOUND do server_auth = srp.authenticate(self) end - assert_json_error :login => "could not be found" + assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"}) assert !last_response.successful? assert_nil server_auth end -- cgit v1.2.3