fix: return invalid login creds before email not confirmed (#284)

supabase · Nov 25, 2021 · 92abe18 · 92abe18
1 parent ee6027c
commit 92abe18
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/api/token.go b/api/token.go
@@ -168,16 +168,16 @@ func (a *API) ResourceOwnerPasswordGrant(ctx context.Context, w http.ResponseWri
 		return internalServerError("Database error querying schema").WithInternalError(err)
 	}
 
+	if !user.Authenticate(params.Password) {
+		return oauthError("invalid_grant", InvalidLoginMessage)
+	}
+
 	if params.Email != "" && !user.IsConfirmed() {
 		return oauthError("invalid_grant", "Email not confirmed")
 	} else if params.Phone != "" && !user.IsPhoneConfirmed() {
 		return oauthError("invalid_grant", "Phone not confirmed")
 	}
 
-	if !user.Authenticate(params.Password) {
-		return oauthError("invalid_grant", InvalidLoginMessage)
-	}
-
 	var token *AccessTokenResponse
 	err = a.db.Transaction(func(tx *storage.Connection) error {
 		var terr error