Web Login: Incorrect password message is misleading
kazemisoroush opened this issue · comments
As a user, I want to see a message like "Invalid credentials" when I enter the wrong password. Instead, I see "User not found" which is misleading.
Here is the error message for the same request:
API_ROUTER: 2021/09/17 03:08:47 router.go:152: api error: error.api.request.incorrect_login_or_password (status=401). Details: User not found. . Where: LoginWithPassword.CheckPassword.
[negroni] 2021-09-17T03:08:47Z | 401 | 106.544718ms | identifo.dev.evergen.technology | POST /auth/login
A
This is happening in v2.1.2
The reason for this message is security.
knowing the user name or email you can guess if the user registered in the system. This information is private information itself. That is why when the credentials are wrong we should tell something user is not found or credentials are wrong
I agree with preventing the security issue but the Invalid credentials
error message won't give any information about the user exists or not.
yep, it is fixed