fix: don't reveal whether a user exists
This commit is contained in:
parent
e6847b05e2
commit
248087bf99
2 changed files with 26 additions and 8 deletions
|
@ -96,7 +96,7 @@ pub async fn login(
|
|||
_ => Ok(HttpResponse::Ok().json(json!({ "key": token }))),
|
||||
}
|
||||
}
|
||||
Err(e) => Err(ErrorUnauthorized(e)),
|
||||
Err(_) => Err(ErrorUnauthorized("Invalid credentials.")),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -314,13 +314,21 @@ impl UpEndConnection {
|
|||
.filter(dsl::username.eq(username))
|
||||
.load::<models::UserValue>(&conn)?;
|
||||
|
||||
let user = user_result.first().ok_or(anyhow!("User not found"))?;
|
||||
|
||||
let parsed_hash = PasswordHash::new(&user.password).map_err(|e| anyhow!(e))?;
|
||||
let argon2 = Argon2::default();
|
||||
argon2
|
||||
.verify_password(password.as_ref(), &parsed_hash)
|
||||
.map_err(|e| anyhow!(e))
|
||||
match user_result.first() {
|
||||
Some(user) => {
|
||||
let parsed_hash = PasswordHash::new(&user.password).map_err(|e| anyhow!(e))?;
|
||||
let argon2 = Argon2::default();
|
||||
argon2
|
||||
.verify_password(password.as_ref(), &parsed_hash)
|
||||
.map_err(|e| anyhow!(e))
|
||||
}
|
||||
None => {
|
||||
let argon2 = Argon2::default();
|
||||
let _ = argon2
|
||||
.verify_password(password.as_ref(), &PasswordHash::new(&DUMMY_HASH).unwrap());
|
||||
Err(anyhow!("user not found"))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub fn retrieve_entry(&self, hash: &UpMultihash) -> Result<Option<Entry>> {
|
||||
|
@ -538,6 +546,16 @@ impl UpEndConnection {
|
|||
}
|
||||
}
|
||||
|
||||
lazy_static! {
|
||||
static ref DUMMY_HASH: String = Argon2::default()
|
||||
.hash_password(
|
||||
"password".as_ref(),
|
||||
&password_hash::SaltString::generate(&mut password_hash::rand_core::OsRng)
|
||||
)
|
||||
.unwrap()
|
||||
.to_string();
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod test {
|
||||
use upend_base::constants::{ATTR_IN, ATTR_LABEL};
|
||||
|
|
Loading…
Reference in a new issue