You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When performing login with an inexisting or wrong user, the error message always outputs as cause the password.
For example:
epinio login -u wrong-user https://epinio.192.168.16.3.omg.howdoi.website
🚢 Login to your Epinio cluster [https://epinio.192.168.16.3.omg.howdoi.website]
Password:
⚠️ Certificate signed by unknown authority
| KEY | VALUE |
|-------------|-----------------|
| Issuer Name | CN=epinio-ca |
| Common Name | epinio-ca |
| Expiry | 2024-January-04 |
Do you want to trust it (y/n): y
✔️ Trusting certificate for address https://epinio.192.168.16.3.omg.howdoi.website...
❌ error verifying credentials: error while connecting to the Epinio server: wrong password
Perhaps we could:
Change the output message to something that also points to username as a possible error cause like: error verifying credentials: error while connecting to the Epinio server: wrong username or password
Search if that user exists first and handle the error towards username error or password error accordingly
Search if that user exists first and handle the error towards username error or password error accordingly
That gives the attacker information, i.e. enabling separate search for a valid user before then having a go at the password.
Better to always claim wrong user or password.
Issue
When performing login with an inexisting or wrong user, the error message always outputs as cause the password.
For example:
Perhaps we could:
error verifying credentials: error while connecting to the Epinio server: wrong username or password
username
error orpassword
error accordinglyTest environment
The text was updated successfully, but these errors were encountered: