Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't give extra information on failed login #1424

Closed
2 tasks done
Tracked by #1337
SamuelPull opened this issue Jul 25, 2023 · 0 comments · Fixed by #1425
Closed
2 tasks done
Tracked by #1337

Don't give extra information on failed login #1424

SamuelPull opened this issue Jul 25, 2023 · 0 comments · Fixed by #1425
Labels
api Indicates api related issue or feature frontend Indicates frontend related issue or feature
Milestone
Trubudget 2.3.0

Comments

@SamuelPull
Copy link
Collaborator

SamuelPull commented Jul 25, 2023
edited
Loading

Frontend message is correct in hiding whether the user or password is incorrect (Incorrect login ID or password), however, inspecting response body shows the difference. Message for existing user is "authentication failed: authentication failed for mstein: authentication failed", and the message for non-existent user is "authentication failed: authentication failed for janko: authentication failed: Not found: user janko". Such information should not be revealed.

  • Error message propagated to the browser should be the same whether username exists or not - authentication failed
  • Update tests, if required
@SamuelPull SamuelPull mentioned this issue Jul 25, 2023
Closed
13 tasks
@issuelabeler issuelabeler bot added the frontend Indicates frontend related issue or feature label Jul 25, 2023
@SamuelPull SamuelPull changed the title Don't give extra information on failed login: Frontend message is correct in hiding whether the user or password is incorrect (Incorrect login ID or password), however, inspecting response body shows the difference. Message for existing user is "authentication failed: authentication failed for mstein: authentication failed", and the message for non-existent user is "authentication failed: authentication failed for janko: authentication failed: Not found: user janko". Such information should not be revealed. Don't give extra information on failed login Jul 25, 2023
@SamuelPull SamuelPull mentioned this issue Jul 25, 2023
Merged
6 tasks
@SamuelPull SamuelPull added the api Indicates api related issue or feature label Jul 25, 2023
@georgimld georgimld added this to the Trubudget 2.3.0 milestone Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api Indicates api related issue or feature frontend Indicates frontend related issue or feature
Projects
None yet
Milestone
Trubudget 2.3.0
Development

Successfully merging a pull request may close this issue.

api: hide 400 error details from user openkfw/TruBudget
2 participants
@SamuelPull @georgimld