Skip to content

Commit 640a1ee

Browse files
committed
Return generic auth error to prevent user enumeration attacks
On invalid user/password error the error message "Invalid email or password" is returned. Thereby, no information about the existence of the user is given.
1 parent 25a26d6 commit 640a1ee

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

backend/internal/token.js

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ const authModel = require('../models/auth');
55
const helpers = require('../lib/helpers');
66
const TokenModel = require('../models/token');
77

8+
const ERROR_MESSAGE_INVALID_AUTH = 'Invalid email or password';
9+
810
module.exports = {
911

1012
/**
@@ -69,15 +71,15 @@ module.exports = {
6971
};
7072
});
7173
} else {
72-
throw new error.AuthError('Invalid password');
74+
throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
7375
}
7476
});
7577
} else {
76-
throw new error.AuthError('No password auth for user');
78+
throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
7779
}
7880
});
7981
} else {
80-
throw new error.AuthError('No relevant user found');
82+
throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
8183
}
8284
});
8385
},

0 commit comments

Comments
 (0)