Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make incorrect username/email and incorrect password return same error message #3539

Closed
4 tasks done
SleeplessOne1917 opened this issue Jul 8, 2023 · 3 comments
Closed
4 tasks done

Make incorrect username/email and incorrect password return same error message #3539

SleeplessOne1917 opened this issue Jul 8, 2023 · 3 comments
Labels
area: auth enhancement New feature or request

Comments

@SleeplessOne1917
Copy link
Member

Requirements

  • Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • Did you check to see if this issue already exists?
  • Is this only a feature request? Do not put multiple feature requests in one issue.
  • Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Is your proposal related to a problem?

In a recently opened PR for the UI repo, I noticed that the server returns distinct error messages for incorrect usernames/emails and incorrect passwords. This will make it easier for an attacker to figure out if a brute force attack is successful.

Describe the solution you'd like.

Use the same error message for both. Something like "incorrect_username_email_or_password".

Describe alternatives you've considered.

Leaving it the way it is.

Additional context

No response
@SleeplessOne1917 SleeplessOne1917 added the enhancement New feature or request label Jul 8, 2023
@rosenjcb
Copy link
Contributor

rosenjcb commented Jul 8, 2023
edited
Loading

This would be very easy to swap out. Simply update lemmy-translations with a new key (e.g. incorrect_login) and the code can be swamped out simply:

lemmy/crates/api/src/local_user/login.rs

    // Verify the password
    let valid: bool = verify(
      &data.password,
      &local_user_view.local_user.password_encrypted,
    )
    .unwrap_or(false);
    if !valid {
      return Err(LemmyError::from_message("incorrect_login"));
    }
    check_user_valid(
      local_user_view.person.banned,
      local_user_view.person.ban_expires,
      local_user_view.person.deleted,
    )?;

    // Check if the user's email is verified if email verification is turned on
    // However, skip checking verification if the user is an admin
    if !local_user_view.person.admin
      && site_view.local_site.require_email_verification
      && !local_user_view.local_user.email_verified
    {
      return Err(LemmyError::from_message("incorrect_login"));
    }

@rosenjcb
Copy link
Contributor

rosenjcb commented Jul 8, 2023

Here's my PR for the lemmy-translations update btw: LemmyNet/lemmy-translations#83

@slbillups slbillups mentioned this issue Jul 24, 2023
Open
4 tasks
@Nutomic
Copy link
Member

Nutomic commented Sep 28, 2023

This seems to be fixed, there is only IncorrectLogin error.

@Nutomic Nutomic closed this as completed Sep 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: auth enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Nutomic @rosenjcb @SleeplessOne1917 @lionirdeadman