Web Login: Incorrect password message is misleading

Question

Web Login: Incorrect password message is misleading

kazemisoroush opened this issue 3 years ago · comments

As a user, I want to see a message like "Invalid credentials" when I enter the wrong password. Instead, I see "User not found" which is misleading.

Here is the error message for the same request:

API_ROUTER: 2021/09/17 03:08:47 router.go:152: api error: error.api.request.incorrect_login_or_password (status=401). Details: User not found. . Where: LoginWithPassword.CheckPassword.
[negroni] 2021-09-17T03:08:47Z | 401 |   106.544718ms | identifo.dev.evergen.technology | POST /auth/login
A

Soroush Kazemi · Answer 1 · Fri Sep 17 2021 11:35:54 GMT+0800 (China Standard Time)

This is happening in v2.1.2

Jack Rudenko · Answer 2 · Fri Sep 17 2021 12:12:55 GMT+0800 (China Standard Time)

The reason for this message is security.

knowing the user name or email you can guess if the user registered in the system. This information is private information itself. That is why when the credentials are wrong we should tell something user is not found or credentials are wrong

Soroush Kazemi · Answer 3 · Fri Sep 17 2021 12:33:36 GMT+0800 (China Standard Time)

I agree with preventing the security issue but the Invalid credentials error message won't give any information about the user exists or not.

Jack Rudenko · Answer 4 · Mon Oct 18 2021 08:47:08 GMT+0800 (China Standard Time)

yep, it is fixed