-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication code error message #51
Comments
+1 |
in to do authentication on login specifically, look for the
|
@ZempTime that is helpful, but I don't think it works around the original issue, which is that it should be possible for a specific message to be shown when the authentication is invalid but the username and password are valid. |
It's possible to display a specific message when only the authentication code is incorrect with a few changes to your model and the Devise language configuration file. #app/models/user.rb
#...
def unauthenticated_message
if @failed_otp
:invalid_otp
else
super
end
end
def validate_and_consume_otp!(code, options = {})
@failed_otp = !super(code, options)
return !@failed_otp
end
private
@failed_otp = false
#... #config/locales/devise.en.yml
en:
devise:
failure:
invalid_otp: "Invalid authentication code." |
@mattcg perfect to my situation! I added a little bit:
|
This is a perfectly valid use-case, but it's worth keeping in mind the usability / security trade-off that's being made. More specific messages are helpful to the user, but they also provide more information to an attacker. For example, depending on what error messages you use, an attacker that compares a leaked username / password list from another site against your login form will either gain no information about whether the user exists, or they will learn that the user does exist, and that they shared their password across the two sites. From there, they might opt to perform a more targeted attack against the user. Whether that's something you're concerned with is up for debate, but it's worth remembering when deciding to provide more detailed error messages. |
If user got a authentication code error, the error message is still 'Invalid email or password.', how to specify the message to some sentence like 'Authentication code is wrong'?
The text was updated successfully, but these errors were encountered: