*: don't error out if a username doesn't exist in the backing connector

Instead of throwing a 500 error if a user enters an invalid name, display the same text box as if the user had entered the wrong password. NOTE: An invalid username now returns much quicker than an invalid password. Consider adding an arbitrary sleep in the future if we care about masking which was invalid.
2016-11-01 14:03:22 -07:00
parent 2a9051c864
commit 57a59d4631
3 changed files with 13 additions and 7 deletions
--- a/server/server.go
+++ b/server/server.go
@@ -218,8 +218,9 @@ func (db passwordDB) Login(email, password string) (connector.Identity, bool, er
 	if err != nil {
 		if err != storage.ErrNotFound {
 			log.Printf("get password: %v", err)
+			return connector.Identity{}, false, err
 		}
-		return connector.Identity{}, false, err
+		return connector.Identity{}, false, nil
 	}
 	if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil {
 		return connector.Identity{}, false, nil
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -657,10 +657,10 @@ func TestPasswordDB(t *testing.T) {
 			},
 		},
 		{
-			name:     "unknown user",
-			username: "john@example.com",
-			password: pw,
-			wantErr:  true,
+			name:        "unknown user",
+			username:    "john@example.com",
+			password:    pw,
+			wantInvalid: true,
 		},
 		{
 			name:        "invalid password",