-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bogus "Couldn't authenticate user: Invalid username/password" error #415
Comments
if the db doesn't even exist, maybe the error should just be "this database doesn't exist" |
I'm worried that someone can use the error message to detect valid database names. InfluxDB is built to be a multitenant database, this error message leaks information that could potentially be a security risk. That's my opinion, I'm happy to hear other's opinion on this. |
I could go either way on this. On the one hand, better error messages is better usability. But I see the potential security issue. Maybe we should optimize for usability? For those that care about security, they probably won't be exposing InfluxDB directly to the net anyway. Thus they'll have a proxy that everything has to go through and they can hide things there. |
ok so maybe no "this database doesn't exist" messages. but then at least we can say "the user/password/database combination is incorrect", which reveals nothing, yet is clearer that it can be any of those 3 that's wrong. |
Ok, that's doable. Moving this to 0.5.6 |
@malthe This issue is closed and is not related. can you you trace the request using tcpdump or wireshark and send the reuslts on the mailing list with the error you're getting. I'm suspecting this has something to do with compression. |
trying to connect with a valid user and pass, but incorrect database specified, yields "Couldn't authenticate user: Invalid username/password" error.
this wording is very confusing, arguably incorrect. maybe it should say something like "Could not authenticate with user/pass on database"
I've noticed this with both the admin web interface, as well as the python client.
The text was updated successfully, but these errors were encountered: