Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Support alternate sign in error message when email record does not exist #2147

Merged
merged 3 commits into from

2 participants

@gabetax

It can enhance user experience while signing in if the user can be explicitly told that their account does not exist, so they can try using any alternate or site-specific email addresses they have.

Currently devise uses the :invalid message, 'Invalid email or password.' when the user's account does not exist.

It is arguably less secure to allow attackers to figure out whether or not an given email address has an account in the system. However, this information is already exposed in the :recoverable module.

I propose that devise returns an alternate failure key when the account database record does not exist, and the end-developer can choose to expose this information by customizing their en.yml file.

Gabe Martin-... added some commits
Gabe Martin-Dempesy Support alternate sign in error message when email record does not exist
By default, the nonexistent error is still identical to the :invalid
message, and must be customized by the developer to implement.
cde2229
Gabe Martin-Dempesy Fix typo on nonexistent error ffab77c
@gabetax

Sorry - I made a typo in my first commit. I'm not well acquainted on pull request etiquette to get these two commits squashed (if desired). Let me know if I should do anything like open an alternate pull request with the commits squashed.

@josevalim
Owner

Thanks for the pull request. There is no need to squash the commits, however there are a couple issues we need to address before we merge it:

  1. I believe the I18n key should be "invalid_email". Since the nonexistent would apply to different scenarios;
  2. We need tests;
@gabetax

I changed the key to :invalid_email and updated the existing test. Given that the default :invalid_email message is the same as :invalid and that the existing tests match against the post-translated string, I used store_translations in the test to explicitly change the :invalid_email translation.

@josevalim josevalim merged commit cbfdcbe into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 18, 2012
  1. Support alternate sign in error message when email record does not exist

    Gabe Martin-Dempesy authored
    By default, the nonexistent error is still identical to the :invalid
    message, and must be customized by the developer to implement.
  2. Fix typo on nonexistent error

    Gabe Martin-Dempesy authored
Commits on Nov 19, 2012
This page is out of date. Refresh to see the latest.
View
1  config/locales/en.yml
@@ -19,6 +19,7 @@ en:
unconfirmed: 'You have to confirm your account before continuing.'
locked: 'Your account is locked.'
invalid: 'Invalid email or password.'
+ invalid_email: 'Invalid email or password.'
invalid_token: 'Invalid authentication token.'
timeout: 'Your session expired, please sign in again to continue.'
inactive: 'Your account was not activated yet.'
View
2  lib/devise/strategies/database_authenticatable.rb
@@ -6,7 +6,7 @@ module Strategies
class DatabaseAuthenticatable < Authenticatable
def authenticate!
resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
- return fail(:invalid) unless resource
+ return fail(:invalid_email) unless resource
if validate(resource){ resource.valid_password?(password) }
resource.after_database_authentication
View
12 test/integration/database_authenticatable_test.rb
@@ -53,12 +53,14 @@ class DatabaseAuthenticationTest < ActionController::IntegrationTest
end
test 'sign in with invalid email should return to sign in form with error message' do
- sign_in_as_admin do
- fill_in 'email', :with => 'wrongemail@test.com'
- end
+ store_translations :en, :devise => { :failure => { :admin => { :invalid_email => 'Invalid email address' } } } do
+ sign_in_as_admin do
+ fill_in 'email', :with => 'wrongemail@test.com'
+ end
- assert_contain 'Invalid email or password'
- assert_not warden.authenticated?(:admin)
+ assert_contain 'Invalid email address'
+ assert_not warden.authenticated?(:admin)
+ end
end
test 'sign in with invalid pasword should return to sign in form with error message' do
Something went wrong with that request. Please try again.