fix: don't reveal whether a user exists
This commit is contained in:
parent
e6847b05e2
commit
248087bf99
2 changed files with 26 additions and 8 deletions
|
@ -96,7 +96,7 @@ pub async fn login(
|
||||||
_ => Ok(HttpResponse::Ok().json(json!({ "key": token }))),
|
_ => Ok(HttpResponse::Ok().json(json!({ "key": token }))),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Err(e) => Err(ErrorUnauthorized(e)),
|
Err(_) => Err(ErrorUnauthorized("Invalid credentials.")),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -314,14 +314,22 @@ impl UpEndConnection {
|
||||||
.filter(dsl::username.eq(username))
|
.filter(dsl::username.eq(username))
|
||||||
.load::<models::UserValue>(&conn)?;
|
.load::<models::UserValue>(&conn)?;
|
||||||
|
|
||||||
let user = user_result.first().ok_or(anyhow!("User not found"))?;
|
match user_result.first() {
|
||||||
|
Some(user) => {
|
||||||
let parsed_hash = PasswordHash::new(&user.password).map_err(|e| anyhow!(e))?;
|
let parsed_hash = PasswordHash::new(&user.password).map_err(|e| anyhow!(e))?;
|
||||||
let argon2 = Argon2::default();
|
let argon2 = Argon2::default();
|
||||||
argon2
|
argon2
|
||||||
.verify_password(password.as_ref(), &parsed_hash)
|
.verify_password(password.as_ref(), &parsed_hash)
|
||||||
.map_err(|e| anyhow!(e))
|
.map_err(|e| anyhow!(e))
|
||||||
}
|
}
|
||||||
|
None => {
|
||||||
|
let argon2 = Argon2::default();
|
||||||
|
let _ = argon2
|
||||||
|
.verify_password(password.as_ref(), &PasswordHash::new(&DUMMY_HASH).unwrap());
|
||||||
|
Err(anyhow!("user not found"))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub fn retrieve_entry(&self, hash: &UpMultihash) -> Result<Option<Entry>> {
|
pub fn retrieve_entry(&self, hash: &UpMultihash) -> Result<Option<Entry>> {
|
||||||
use crate::inner::schema::data::dsl::*;
|
use crate::inner::schema::data::dsl::*;
|
||||||
|
@ -538,6 +546,16 @@ impl UpEndConnection {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
lazy_static! {
|
||||||
|
static ref DUMMY_HASH: String = Argon2::default()
|
||||||
|
.hash_password(
|
||||||
|
"password".as_ref(),
|
||||||
|
&password_hash::SaltString::generate(&mut password_hash::rand_core::OsRng)
|
||||||
|
)
|
||||||
|
.unwrap()
|
||||||
|
.to_string();
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod test {
|
mod test {
|
||||||
use upend_base::constants::{ATTR_IN, ATTR_LABEL};
|
use upend_base::constants::{ATTR_IN, ATTR_LABEL};
|
||||||
|
|
Loading…
Reference in a new issue