Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Faliure to login results in an unhandled exception #55

Closed
LiorEluse opened this issue May 24, 2022 · 1 comment · Fixed by #70
Closed

Faliure to login results in an unhandled exception #55

LiorEluse opened this issue May 24, 2022 · 1 comment · Fixed by #70
Assignees
@piyushroshan
Labels
bug Something isn't working

Comments

@LiorEluse
Copy link

Description
When sending a post request to the login page (/identity/api/auth/login), bad credentials result in an exception raised (From springframework?), in function authenticateUser (Raised from calling authenticateUserLogin)

One more issue is that you actually mean to return 500 for an unsuccessful login. i.e

return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(jwtToken);

Which doesn't make much sense, but is never reached anyways. The 500 actually derives from an exception, and you have no control over it.

You should wrap the JwtResponse in a try/catch block, and return an HttpStatus.UNAUTHORIZED response accordingly. You also have a string for bad credentials so better use that in the response.

To Reproduce
Send a POST request to /identity/api/auth/login with fake credentials

Expected behavior
An 403 or 401 should've been returned by you and not by an exception raised from the authentication management library.

Runtime Environment
Docker version 20.10.12, build e91ed57
Linux 5.14.0-1033-oem #36-Ubuntu SMP Mon Apr 4 15:15:49 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
@LiorEluse LiorEluse added the bug Something isn't working label May 24, 2022
@piyushroshan piyushroshan self-assigned this May 25, 2022
@mathew-jose mathew-jose mentioned this issue May 27, 2022
Merged
4 tasks
nikhil-rajesh added a commit to mathew-jose/crAPI that referenced this issue May 28, 2022
@nikhil-rajesh
login bug fix - OWASP#55
0d2198a
@piyushroshan piyushroshan linked a pull request May 28, 2022 that will close this issue
Incorrect Login Credentials Unhandled Exception #70
Merged
4 tasks
@piyushroshan
Copy link
Collaborator

This is fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@piyushroshan piyushroshan

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Incorrect Login Credentials Unhandled Exception mathew-jose/crAPI
2 participants
@piyushroshan @LiorEluse