Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Add some abstraction to local strategy login error #575

Merged
merged 1 commit into from
Jun 3, 2015
Merged

Add some abstraction to local strategy login error #575

merged 1 commit into from
Jun 3, 2015

Conversation

pgrodrigues
Copy link
Contributor

This is implemented in master but it is not in 0.4.0.

This basically prevents username enumeration by providing the same error message when the username doesn't exist or when the username/password combination is wrong.

@ilanbiala
Copy link
Member

I would rather say that the account doesn't exist, and then say that it's an invalid email or password if it does.

@ilanbiala ilanbiala added this to the 0.4.0 milestone May 29, 2015
@pgrodrigues
Copy link
Contributor Author

From a user point of view, ofc it looks nicer to know in case if you did a mistake while logging in wether your username or password is wrong.

However for a user with bad intentions this can be seen as a simple and effective way to prevent him from building a dataset with registered usernames.

It's an option each developer can make.

@ilanbiala
Copy link
Member

@lirantal thoughts?

@lirantal
Copy link
Member

lirantal commented Jun 2, 2015

Looks ok

@ilanbiala ilanbiala self-assigned this Jun 3, 2015
ilanbiala added a commit that referenced this pull request Jun 3, 2015
@ilanbiala
Merge pull request #575 from pgrodrigues/0.4.0
cd5db4a 
Abstract the local strategy login error to thwart hackers
@ilanbiala ilanbiala merged commit cd5db4a into meanjs:0.4.0 Jun 3, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@ilanbiala ilanbiala

Labels
enhance:feature feedback:discuss
Projects
None yet
Milestone
0.4.0
Development

Successfully merging this pull request may close these issues.
3 participants
@pgrodrigues @ilanbiala @lirantal