mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2025-01-21 05:01:07 -05:00
Return the same error message from /login
when password is incorrect and when account doesn't exist. (#12738)
This commit is contained in:
parent
f30bcbd84a
commit
b5a3aecf18
1
changelog.d/12738.misc
Normal file
1
changelog.d/12738.misc
Normal file
@ -0,0 +1 @@
|
||||
Report login failures due to unknown third party identifiers in the same way as failures due to invalid passwords. This prevents an attacker from using the error response to determine if the identifier exists. Contributed by Daniel Aloni.
|
@ -81,6 +81,8 @@ if TYPE_CHECKING:
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
INVALID_USERNAME_OR_PASSWORD = "Invalid username or password"
|
||||
|
||||
|
||||
def convert_client_dict_legacy_fields_to_identifier(
|
||||
submission: JsonDict,
|
||||
@ -1215,7 +1217,9 @@ class AuthHandler:
|
||||
await self._failed_login_attempts_ratelimiter.can_do_action(
|
||||
None, (medium, address)
|
||||
)
|
||||
raise LoginError(403, "", errcode=Codes.FORBIDDEN)
|
||||
raise LoginError(
|
||||
403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN
|
||||
)
|
||||
|
||||
identifier_dict = {"type": "m.id.user", "user": user_id}
|
||||
|
||||
@ -1341,7 +1345,7 @@ class AuthHandler:
|
||||
|
||||
# We raise a 403 here, but note that if we're doing user-interactive
|
||||
# login, it turns all LoginErrors into a 401 anyway.
|
||||
raise LoginError(403, "Invalid password", errcode=Codes.FORBIDDEN)
|
||||
raise LoginError(403, msg=INVALID_USERNAME_OR_PASSWORD, errcode=Codes.FORBIDDEN)
|
||||
|
||||
async def check_password_provider_3pid(
|
||||
self, medium: str, address: str, password: str
|
||||
|
Loading…
Reference in New Issue
Block a user