You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ISSUES THAT DO NOT FOLLOW THIS TEMPLATE WILL BE CLOSED IMMEDIATELY.
This is not a usage question.
Our volunteers' time is limited, so please ask usage questions on StackOverflow.
This is not a security issue.
Do not disclose security issues in public. See our contributing
guide
for instructions.
This bug is reproducible with a clean install of authlogic
I am committed to fixing this in a reasonable amount of time, and
responding promptly to feedback.
Expected Behavior
For the login form. If the email of a not existing user is in the correct format (for example xx@xx.com) and a fake password is provided the error notification says: "Email is not valid".
Additionally, the error message can't be translated using official translation keys. Other errors can be translated successfuly.
pl:
authlogic:
error_messages:
...email_invalid: xxx should look like an email address....
Actual Behavior
The actual error message should be of type general_credentials_error because the email is valid. It simply doesn't exist in the database, but that information should not be exposed.
The text was updated successfully, but these errors were encountered:
When the email is valid and exists in the database, and the password is incorrect, I would receive an error that the password is invalid. When the email is valid but does not exist in the database, I would receive an error that the email is invalid.
I am surprised that this is the default behavior. This is a security flaw that can be exploited to reveal the presence of email addresses in your application's database. This should really not be the default.
I had to do some digging in the code to find where this can be changed. The solution was to add the following to my UserSession class:
When generalize_credentials_error_messages is set to true, a generic error message will be added by add_invalid_password_error when a login fails regardless of whether the email address was present in the database, ex. "Email/Password combination is not valid". I have tested this change, and I am now seeing a generic error message, as desired.
Per the comments in the code, you can also add a custom message like so:
classUserSession < AuthLogic::Session::Basegeneralize_credentials_error_messages"Your login information is invalid"end
For il8n, it looks like this would be the way to change the message, but I have not tested this:
en:
authlogic:
error_messages:
# ...general_credentials_error: Email/Password combination is not valid# ...
It looks like the code will perform the translation accordingly, though:
ISSUES THAT DO NOT FOLLOW THIS TEMPLATE WILL BE CLOSED IMMEDIATELY.
StackOverflow.
guide
for instructions.
responding promptly to feedback.
Expected Behavior
For the login form. If the email of a not existing user is in the correct format (for example xx@xx.com) and a fake password is provided the error notification says: "Email is not valid".
Additionally, the error message can't be translated using official translation keys. Other errors can be translated successfuly.
Actual Behavior
The actual error message should be of type
general_credentials_error
because the email is valid. It simply doesn't exist in the database, but that information should not be exposed.The text was updated successfully, but these errors were encountered: