*: don't error out if a username doesn't exist in the backing connector

Instead of throwing a 500 error if a user enters an invalid name,
display the same text box as if the user had entered the wrong
password.

NOTE: An invalid username now returns much quicker than an invalid
password. Consider adding an arbitrary sleep in the future if we
care about masking which was invalid.
This commit is contained in:
Eric Chiang 2016-11-01 14:03:22 -07:00
parent 2a9051c864
commit 57a59d4631
3 changed files with 13 additions and 7 deletions

View File

@ -310,7 +310,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
switch n := len(resp.Entries); n { switch n := len(resp.Entries); n {
case 0: case 0:
return fmt.Errorf("ldap: no results returned for filter: %q", filter) log.Printf("ldap: no results returned for filter: %q", filter)
incorrectPass = true
return nil
case 1: case 1:
default: default:
return fmt.Errorf("ldap: filter returned multiple (%d) results: %q", n, filter) return fmt.Errorf("ldap: filter returned multiple (%d) results: %q", n, filter)
@ -335,6 +337,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
if err != nil { if err != nil {
return connector.Identity{}, false, err return connector.Identity{}, false, err
} }
if incorrectPass {
return connector.Identity{}, false, nil
}
// Encode entry for follow up requests such as the groups query and // Encode entry for follow up requests such as the groups query and
// refresh attempts. // refresh attempts.
@ -364,7 +369,7 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
return connector.Identity{}, false, err return connector.Identity{}, false, err
} }
return ident, !incorrectPass, nil return ident, true, nil
} }
func (c *ldapConnector) Groups(ident connector.Identity) ([]string, error) { func (c *ldapConnector) Groups(ident connector.Identity) ([]string, error) {

View File

@ -218,9 +218,10 @@ func (db passwordDB) Login(email, password string) (connector.Identity, bool, er
if err != nil { if err != nil {
if err != storage.ErrNotFound { if err != storage.ErrNotFound {
log.Printf("get password: %v", err) log.Printf("get password: %v", err)
}
return connector.Identity{}, false, err return connector.Identity{}, false, err
} }
return connector.Identity{}, false, nil
}
if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil { if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil {
return connector.Identity{}, false, nil return connector.Identity{}, false, nil
} }

View File

@ -660,7 +660,7 @@ func TestPasswordDB(t *testing.T) {
name: "unknown user", name: "unknown user",
username: "john@example.com", username: "john@example.com",
password: pw, password: pw,
wantErr: true, wantInvalid: true,
}, },
{ {
name: "invalid password", name: "invalid password",