-
-
Notifications
You must be signed in to change notification settings - Fork 147
Improvement of notifying sign in error #454
Comments
Do you saying it should validate and tells whether email is wrong not only arguing about password if I understand correctly? @hyochan |
No. Looking inside the code, I found that it did not have any scenario on giving hints on the wrong email that does not match the database. Just telling the email format is not correct does not make any security issue. |
Okay I got this now "No. Looking inside the code, I found that it did not have any scenario on giving hints on the wrong email that does not match the database. Just telling the email format is not correct does not make any security issue." Than, how about just displaying error message like "가입하지 않은 아이디이거나, 잘못된 비밀번호입니다." not displaying red underline because users may be confused because of it.(email format is wrong, but message is "비밀번호를 다시 확인해주세요." with red underline on password field) |
I think you've missed the code here https://github.com/dooboolab/hackatalk/blob/ee38d64fba78203f63e13a80425e7e689d383c29/client/src/components/pages/SignIn/index.tsx#L176. I am still confused about what you are trying to achieve here. How about just give out a proposal if you think something is actually needed? Or it'd be good to bring another idea and focus on that 🤔 |
I've focused on these lines Well if you think it is not an issue I will close this issue. |
Specify project
Client
Is your feature request related to a problem? Please describe.
![hackatalk](https://user-images.githubusercontent.com/25196026/129472697-69791ec0-c3b6-468b-8943-97241b972b7e.gif)
When I tried to sign in with incorrect email, but correct password, error message displays like "비밀번호를 다시 확인해주세요.".
Describe the solution you'd like
현재 서버, 클라이언트에서 어떤 부분이 틀렸는지 알려줍니다.
어떤 부분이 틀렸는지 알려주는 것은 보안상으로 이슈가 있을 것으로 예상됩니다.
일례로 네이버 로그인 창에서는 아이디 또는 비밀번호가 틀리면 어떤게 틀렸는지 알려주지 않고 "가입하지 않은 아이디이거나, 잘못된 비밀번호입니다.와 같은 메시지를 표시합니다. 그러므로 네이버와 같이 수정하는 것이 좋다고 판단됩니다.
It tells you email or password which part is wrong on client side when sign in button is clicked.
It is expected that there is a security issue for it.
Because of it, for example, when you sign in the Naver, it doesn't tell which is wrong and says "You have not signed up for an ID or an incorrect password." instead.
How about following like that?
Additional context
The text was updated successfully, but these errors were encountered: