Email Unverified error returns even with Incorrect Password

[dblythy]

Issue Description

Logging in with an incorrect password returns email unverified instead of incorrect username or password. I am giving users the option to use /verificationEmailRequest on error code 205, however error code 205 returned on incorrect password.

Steps to reproduce

Create an account with preventLoginWithUnverifiedEmail set to true. Login immediately with incorrect password and error will be "email not verified".

Expected Results

Incorrect password error.

Actual Outcome

Email not verified error.

Environment Setup

• Server
  • parse-server version: 2.7.4
  • Localhost

[paulovitin]

Im not understand the wrong behavior.

The docs says: set preventLoginWithUnverifiedEmail to true to prevent user from login if their email is not verified

So, if you set true, the error returned its correct. I missing something?

[dblythy]

@paulovitin yes, prevents logging in correctly. However even if the password is incorrect it returns. It should first return incorrect username/password, and then once password is correct, it should return email not verified.

[paulovitin]

@dblythy the first information for user login is the e-mail, so, the app needs validade the e-mail. The e-mail is unverified, then the first error is e-mail unverified...

The second step is check the password... But the e-mail error already been returned.

[dblythy]

I want to prompt unverified users after login (correct password) with "resend verification email". Point being, they can find out a users email address before they verify their email.

Just as an incorrect password returns "invalid email/password", not "invalid password" to hide a database users email, incorrect password before verification returns "unverified email" - revealing an unverified user's email.

[paulovitin]

@montymxb can you help here?

[dblythy]

Potentially, if a malicious user brute forced emails, all they would need is to attempt login and search for error 205 to get a users email. Then wait until they verify and brute force password.

[flovilmart]

Can one of you open a PR to reverse the order of the errors?

[dblythy]

Yep! Will do.