User enumeration still possible through login error messages in Gitea 1.25.1

[d3struct1v3-create]

Description

I noticed that user enumeration is still possible in Gitea version 1.25.1 through the login error messages.

When attempting authentication:

If the username does not exist -> Gitea returns: user does not exist
If the username exists but the password is wrong -> Gitea returns: user's password is invalid

This make it possible to reliably determine whether a username exists.

Gitea Version

1.25.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

1. Attempt login with a non-existing username
2. Attempt login with an existing username but wrong password

Git Version

No response

Operating System

No response

How are you running Gitea?

Locally on my machine

Database

None

[a1012112796]

looks the result is ok in my test on gitea.com:

[d3struct1v3-create]

Here is a fresh test on Gitea 1.25.1 (local instance).
User enumeration is still possible via API.

As you can see in the screenshot:
• Request to /api/v1/user with a non-existing username returns:
"user does not exist"
• Request with an existing username but wrong password returns:
"user’s password is invalid [uid:1, name:root]"
→ This message discloses:
• the username is valid
• the internal UID
• different error behavior

[d3struct1v3-create]

The same behavior also occurs with an invalid username.

As shown in the screenshot:
• Request to /api/v1/user with a wrong username returns:
"user does not exist"
• Request to /api/swagger with the same wrong username still produces a structured JSON message indicating:
"user does not exist [uid:0, name: root]"