fix: more generic error messages on login

2025-07-21 14:19:44 +02:00 · 2024-08-28 22:25:44 +02:00 · 2024-08-28 22:25:44 +02:00 · 9a5049472f
commit 9a5049472f
parent b2e1fba9a0
6 changed files with 28 additions and 0 deletions
--- a/client/src/components/Login/Login.jsx
+++ b/client/src/components/Login/Login.jsx
@ -28,6 +28,11 @@ const createMessage = (error) => {
        type: 'error',
        content: 'common.invalidPassword',
      };
    case 'Invalid credentials':
      return {
        type: 'error',
        content: 'common.invalidCredentials',
      };
    case 'Use single sign-on':
      return {
        type: 'error',
@ -116,6 +121,10 @@ const Login = React.memo(
    useEffect(() => {
      if (wasSubmitting && !isSubmitting && error) {
        switch (error.message) {
          case 'Invalid credentials':
            emailOrUsernameField.current.select();
            break;
          case 'Invalid email or username':
            emailOrUsernameField.current.select();
--- a/client/src/locales/en-US/login.js
+++ b/client/src/locales/en-US/login.js
@ -3,6 +3,7 @@ export default {
    common: {
      emailOrUsername: 'E-mail or username',
      invalidEmailOrUsername: 'Invalid e-mail or username',
      invalidCredentials: 'Invalid credentials',
      invalidPassword: 'Invalid password',
      logInToPlanka: 'Log in to Planka',
      noInternetConnection: 'No internet connection',
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,6 +31,8 @@ services:
      # - DEFAULT_ADMIN_NAME=Demo Demo
      # - DEFAULT_ADMIN_USERNAME=demo
      # - ENABLE_VERBOSE_ON_LOGIN=false # Set to true will show more verbose error messages on login. Should not be disabled without a rate limiter for security reasons.
      # - ALLOW_ALL_TO_CREATE_PROJECTS=true
      # - OIDC_ISSUER=
--- a/server/.env.sample
+++ b/server/.env.sample
@ -22,6 +22,8 @@ SECRET_KEY=notsecretkey
 # DEFAULT_ADMIN_NAME=Demo Demo
 # DEFAULT_ADMIN_USERNAME=demo
 # ENABLE_VERBOSE_ON_LOGIN=false # Set to true will show more verbose error messages on login. Should not be disabled without a rate limiter for security reasons.
 # ALLOW_ALL_TO_CREATE_PROJECTS=true
 # OIDC_ISSUER=
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -10,6 +10,9 @@ const Errors = {
  INVALID_PASSWORD: {
    invalidPassword: 'Invalid password',
  },
  INVALID_CREDENTIALS: {
    invalidCredentials: 'Invalid credentials',
  },
  USE_SINGLE_SIGN_ON: {
    useSingleSignOn: 'Use single sign-on',
  },
@ -40,6 +43,9 @@ module.exports = {
    invalidPassword: {
      responseType: 'unauthorized',
    },
    invalidCredentials: {
      responseType: 'unauthorized',
    },
    useSingleSignOn: {
      responseType: 'forbidden',
    },
@ -57,6 +63,9 @@ module.exports = {
      sails.log.warn(
        `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,
      );
      if (sails.config.custom.enableVerboseOnLogin) {
        throw Errors.INVALID_CREDENTIALS;
      }
      throw Errors.INVALID_EMAIL_OR_USERNAME;
    }
@ -66,6 +75,9 @@ module.exports = {
    if (!bcrypt.compareSync(inputs.password, user.password)) {
      sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
      if (sails.config.custom.enableVerboseOnLogin) {
        throw Errors.INVALID_CREDENTIALS;
      }
      throw Errors.INVALID_PASSWORD;
    }
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -36,6 +36,8 @@ module.exports.custom = {
  allowAllToCreateProjects: process.env.ALLOW_ALL_TO_CREATE_PROJECTS === 'true',
  enableVerboseOnLogin: process.env.ENABLE_VERBOSE_ON_LOGIN ? process.env.ENABLE_VERBOSE_ON_LOGIN === 'true' : true,
  oidcIssuer: process.env.OIDC_ISSUER,
  oidcClientId: process.env.OIDC_CLIENT_ID,
  oidcClientSecret: process.env.OIDC_CLIENT_SECRET,