Support alternate sign in error message when email record does not exist #2147

Merged
merged 3 commits into from Nov 19, 2012

2 participants

@gabetax

It can enhance user experience while signing in if the user can be explicitly told that their account does not exist, so they can try using any alternate or site-specific email addresses they have.

Currently devise uses the :invalid message, 'Invalid email or password.' when the user's account does not exist.

It is arguably less secure to allow attackers to figure out whether or not an given email address has an account in the system. However, this information is already exposed in the :recoverable module.

I propose that devise returns an alternate failure key when the account database record does not exist, and the end-developer can choose to expose this information by customizing their en.yml file.

Gabe Martin-... added some commits Nov 18, 2012
Gabe Martin-Dempesy Support alternate sign in error message when email record does not exist
By default, the nonexistent error is still identical to the :invalid
message, and must be customized by the developer to implement.
cde2229
Gabe Martin-Dempesy Fix typo on nonexistent error ffab77c
@gabetax

Sorry - I made a typo in my first commit. I'm not well acquainted on pull request etiquette to get these two commits squashed (if desired). Let me know if I should do anything like open an alternate pull request with the commits squashed.

@josevalim
Plataformatec member

Thanks for the pull request. There is no need to squash the commits, however there are a couple issues we need to address before we merge it:

  1. I believe the I18n key should be "invalid_email". Since the nonexistent would apply to different scenarios;
  2. We need tests;
@gabetax

I changed the key to :invalid_email and updated the existing test. Given that the default :invalid_email message is the same as :invalid and that the existing tests match against the post-translated string, I used store_translations in the test to explicitly change the :invalid_email translation.

@josevalim josevalim merged commit cbfdcbe into plataformatec:master Nov 19, 2012

1 check passed

Details default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment