Compatibility with Devise paranoid mode
hlascelles opened this issue · comments
When using this gem with Devise.paranoid = true
we are seeing an issue.
-
When you get a password wrong, devise returns a 200 and the form again.
-
When you get a username wrong (doesn't exist) in paranoid mode it also returns a 200 and the form. The user cannot enumerate known/unknown username lists.
-
With
authtrail
0.2.2 this worked fine. -
With
authtrail
0.3.0 and higher, it will "Raise an exception instead of logging when auditing fails". This bubbles up to the front end and thus Devise now reveals the non-existence of a user.
Can we make come config to disable that change? Or, is there guidance on how to handle the exception and stay "paranoid"? Thanks!
Hey @hlascelles, what exception are you seeing?
Also, there are likely timing differences between tracking successful and failed login attempts, which could reveal the existence of a user to an attacker, so you'll probably want to avoid using this gem for that use case.
Edit: Nevermind, it'd be timing differences between different types of failed attempts you'd need to worry about. I'm not sure there are any right now, but it's not really a focus of the project.