From 57a59d46319f291ed3f6b1a9c3293bcead1b19f5 Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Tue, 1 Nov 2016 14:03:22 -0700 Subject: [PATCH] *: don't error out if a username doesn't exist in the backing connector Instead of throwing a 500 error if a user enters an invalid name, display the same text box as if the user had entered the wrong password. NOTE: An invalid username now returns much quicker than an invalid password. Consider adding an arbitrary sleep in the future if we care about masking which was invalid. --- connector/ldap/ldap.go | 9 +++++++-- server/server.go | 3 ++- server/server_test.go | 8 ++++---- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go index 80f84f2a..841ff110 100644 --- a/connector/ldap/ldap.go +++ b/connector/ldap/ldap.go @@ -310,7 +310,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi switch n := len(resp.Entries); n { case 0: - return fmt.Errorf("ldap: no results returned for filter: %q", filter) + log.Printf("ldap: no results returned for filter: %q", filter) + incorrectPass = true + return nil case 1: default: return fmt.Errorf("ldap: filter returned multiple (%d) results: %q", n, filter) @@ -335,6 +337,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi if err != nil { return connector.Identity{}, false, err } + if incorrectPass { + return connector.Identity{}, false, nil + } // Encode entry for follow up requests such as the groups query and // refresh attempts. @@ -364,7 +369,7 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi return connector.Identity{}, false, err } - return ident, !incorrectPass, nil + return ident, true, nil } func (c *ldapConnector) Groups(ident connector.Identity) ([]string, error) { diff --git a/server/server.go b/server/server.go index 603a23cb..3f347013 100644 --- a/server/server.go +++ b/server/server.go @@ -218,8 +218,9 @@ func (db passwordDB) Login(email, password string) (connector.Identity, bool, er if err != nil { if err != storage.ErrNotFound { log.Printf("get password: %v", err) + return connector.Identity{}, false, err } - return connector.Identity{}, false, err + return connector.Identity{}, false, nil } if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil { return connector.Identity{}, false, nil diff --git a/server/server_test.go b/server/server_test.go index 009a8dc2..d3ba1e3e 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -657,10 +657,10 @@ func TestPasswordDB(t *testing.T) { }, }, { - name: "unknown user", - username: "john@example.com", - password: pw, - wantErr: true, + name: "unknown user", + username: "john@example.com", + password: pw, + wantInvalid: true, }, { name: "invalid password",