From a1279ecca51fbe7014d841ed6bca8842d3441814 Mon Sep 17 00:00:00 2001
From: jessib <jessib@leap.se>
Date: Thu, 28 Feb 2013 11:54:24 -0800
Subject: When attempting to login, the error messages should not leak
 information about whether a username is valid.

This also means the error message is more appropriate if somebody tries to login with somebody else's username and their password.
---
 users/config/locales/en.yml                           |  1 +
 users/lib/warden/strategies/secure_remote_password.rb | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

(limited to 'users')

diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml
index 1b2789e..c1512eb 100644
--- a/users/config/locales/en.yml
+++ b/users/config/locales/en.yml
@@ -7,6 +7,7 @@ en:
   login_message: "Please login with your account."
   wrong_password: "wrong password"
   user_not_found: "could not be found"
+  invalid_user_pass: "Not a valid username/password combination"
   update_login_and_password: "Update Login and Password"
   cancel_account: "Cancel your account"
   remove_account: "Remove Account"
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 483336d..5032914 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -26,9 +26,11 @@ module Warden
 
       def validate!
         client = session[:handshake].authenticate(params['client_auth'].hex)
-        client ?
-          success!(User.find_by_login(client.username)) :
-          fail!(:password => "wrong_password")
+        if client
+          success!(User.find_by_login(client.username))
+        else
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
+        end
       end
 
       def initialize!
@@ -39,7 +41,7 @@ module Warden
           session[:handshake] = SRP::Session.new(client, params['A'].hex)
           custom! json_response(session[:handshake])
         else
-          fail! :login => "user_not_found"
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
         end
       end
 
-- 
cgit v1.2.3


From 733426aa3992dafaf1c58ede7e74018057a01148 Mon Sep 17 00:00:00 2001
From: jessib <jessib@leap.se>
Date: Mon, 4 Mar 2013 11:37:56 -0800
Subject: Update tests and documentation to reflect changed error messages with
 incorrect username or password on login attempt.

---
 users/config/locales/en.yml                     | 2 --
 users/test/integration/api/Readme.md            | 2 +-
 users/test/integration/api/account_flow_test.rb | 4 ++--
 3 files changed, 3 insertions(+), 5 deletions(-)

(limited to 'users')

diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml
index c1512eb..9e7d4b2 100644
--- a/users/config/locales/en.yml
+++ b/users/config/locales/en.yml
@@ -5,8 +5,6 @@ en:
   cancel: "Cancel"
   login: "Login"
   login_message: "Please login with your account."
-  wrong_password: "wrong password"
-  user_not_found: "could not be found"
   invalid_user_pass: "Not a valid username/password combination"
   update_login_and_password: "Update Login and Password"
   cancel_account: "Cancel your account"
diff --git a/users/test/integration/api/Readme.md b/users/test/integration/api/Readme.md
index 3a91f3d..04363bd 100644
--- a/users/test/integration/api/Readme.md
+++ b/users/test/integration/api/Readme.md
@@ -19,5 +19,5 @@ POST: http://localhost:9292/sessions
  -> {"B":"1778367531e93a4c7713c76f67649f35a4211ebc520926ae8c3848cd66171651"}
 PUT: http://localhost:9292/sessions/SWQ055
     {"M": "123ABC"}
- -> {"field":"password","error":"wrong password"}
+ -> {"errors":[{"login":"Not a valid username/password combination"},{"password":"Not a valid username/password combination"}]}
 ```
diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index 314d71a..e618541 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -75,7 +75,7 @@ class AccountFlowTest < ActiveSupport::TestCase
   test "signup and wrong password login attempt" do
     srp = SRP::Client.new @login, :password => "wrong password"
     server_auth = srp.authenticate(self)
-    assert_json_error :password => "wrong password"
+    assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"})
     assert !last_response.successful?
     assert_nil server_auth["M2"]
   end
@@ -86,7 +86,7 @@ class AccountFlowTest < ActiveSupport::TestCase
     assert_raises RECORD_NOT_FOUND do
       server_auth = srp.authenticate(self)
     end
-    assert_json_error :login => "could not be found"
+    assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"})
     assert !last_response.successful?
     assert_nil server_auth
   end
-- 
cgit v1.2.3