Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong error message when valid email format of not existing user and fake password provided #760

Open
4 tasks done
meceo opened this issue Apr 26, 2022 · 1 comment
Open
4 tasks done

Comments

@meceo
Copy link

meceo commented Apr 26, 2022

ISSUES THAT DO NOT FOLLOW THIS TEMPLATE WILL BE CLOSED IMMEDIATELY.

  • This is not a usage question.
    • Our volunteers' time is limited, so please ask usage questions on
      StackOverflow.
  • This is not a security issue.
  • This bug is reproducible with a clean install of authlogic
  • I am committed to fixing this in a reasonable amount of time, and
    responding promptly to feedback.

Expected Behavior

For the login form. If the email of a not existing user is in the correct format (for example xx@xx.com) and a fake password is provided the error notification says: "Email is not valid".

(rdbg) @user_session    # ruby
#<UserSession: {:email=>"xx@xx.com", :password=>"<protected>"}>
(rdbg) @user_session.errors    # ruby
#<ActiveModel::Errors [#<ActiveModel::Error attribute=email, type=is not valid, options={}>]>

Additionally, the error message can't be translated using official translation keys. Other errors can be translated successfuly.

pl:
  authlogic:
    error_messages:
      ...
      email_invalid: xxx should look like an email address.
      ...

Actual Behavior

The actual error message should be of type general_credentials_error because the email is valid. It simply doesn't exist in the database, but that information should not be exposed.

@mrpudn
Copy link

mrpudn commented Jul 30, 2022

I experienced essentially this same issue.

When the email is valid and exists in the database, and the password is incorrect, I would receive an error that the password is invalid. When the email is valid but does not exist in the database, I would receive an error that the email is invalid.

I am surprised that this is the default behavior. This is a security flaw that can be exploited to reveal the presence of email addresses in your application's database. This should really not be the default.

I had to do some digging in the code to find where this can be changed. The solution was to add the following to my UserSession class:

class UserSession < Authlogic::Session::Base
  generalize_credentials_error_messages true
end

When generalize_credentials_error_messages is set to true, a generic error message will be added by add_invalid_password_error when a login fails regardless of whether the email address was present in the database, ex. "Email/Password combination is not valid". I have tested this change, and I am now seeing a generic error message, as desired.

Per the comments in the code, you can also add a custom message like so:

class UserSession < AuthLogic::Session::Base
  generalize_credentials_error_messages "Your login information is invalid"
end

For il8n, it looks like this would be the way to change the message, but I have not tested this:

en:
  authlogic:
    error_messages:
      # ...
      general_credentials_error: Email/Password combination is not valid
      # ...

It looks like the code will perform the translation accordingly, though:

I18n.t("error_messages.general_credentials_error", default: error_message)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants