feat: Ability to show detailed auth errors, set to false by default (#860)

2025-07-19 05:09:43 +02:00 · 2024-08-30 11:47:29 +02:00 · 2024-08-30 11:47:29 +02:00 · e6644eb745
commit e6644eb745
parent b2e1fba9a0
7 changed files with 29 additions and 2 deletions
--- a/server/.env.sample
+++ b/server/.env.sample
@ -22,6 +22,8 @@ SECRET_KEY=notsecretkey
 # DEFAULT_ADMIN_NAME=Demo Demo
 # DEFAULT_ADMIN_USERNAME=demo

+# SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons.
+
 # ALLOW_ALL_TO_CREATE_PROJECTS=true

 # OIDC_ISSUER=
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -4,6 +4,9 @@ const validator = require('validator');
 const { getRemoteAddress } = require('../../../utils/remoteAddress');

 const Errors = {
+  INVALID_CREDENTIALS: {
+    invalidCredentials: 'Invalid credentials',
+  },
  INVALID_EMAIL_OR_USERNAME: {
    invalidEmailOrUsername: 'Invalid email or username',
  },
@ -34,6 +37,9 @@ module.exports = {
  },

  exits: {
+    invalidCredentials: {
+      responseType: 'unauthorized',
+    },
    invalidEmailOrUsername: {
      responseType: 'unauthorized',
    },
@ -57,7 +63,10 @@ module.exports = {
      sails.log.warn(
        `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,
      );
-      throw Errors.INVALID_EMAIL_OR_USERNAME;
+
+      throw sails.config.custom.showDetailedAuthErrors
+        ? Errors.INVALID_EMAIL_OR_USERNAME
+        : Errors.INVALID_CREDENTIALS;
    }

    if (user.isSso) {
@ -66,7 +75,10 @@ module.exports = {

    if (!bcrypt.compareSync(inputs.password, user.password)) {
      sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
-      throw Errors.INVALID_PASSWORD;
+
+      throw sails.config.custom.showDetailedAuthErrors
+        ? Errors.INVALID_PASSWORD
+        : Errors.INVALID_CREDENTIALS;
    }

    const accessToken = sails.helpers.utils.createToken(user.id);
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -34,6 +34,8 @@ module.exports.custom = {
  defaultAdminEmail:
    process.env.DEFAULT_ADMIN_EMAIL && process.env.DEFAULT_ADMIN_EMAIL.toLowerCase(),

+  showDetailedAuthErrors: process.env.SHOW_DETAILED_AUTH_ERRORS === 'true',
+
  allowAllToCreateProjects: process.env.ALLOW_ALL_TO_CREATE_PROJECTS === 'true',

  oidcIssuer: process.env.OIDC_ISSUER,