From 57a59d46319f291ed3f6b1a9c3293bcead1b19f5 Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang@coreos.com>
Date: Tue, 1 Nov 2016 14:03:22 -0700
Subject: [PATCH] *: don't error out if a username doesn't exist in the backing
 connector

Instead of throwing a 500 error if a user enters an invalid name,
display the same text box as if the user had entered the wrong
password.

NOTE: An invalid username now returns much quicker than an invalid
password. Consider adding an arbitrary sleep in the future if we
care about masking which was invalid.
---
 connector/ldap/ldap.go | 9 +++++++--
 server/server.go       | 3 ++-
 server/server_test.go  | 8 ++++----
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index 80f84f2a..841ff110 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -310,7 +310,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
 
 		switch n := len(resp.Entries); n {
 		case 0:
-			return fmt.Errorf("ldap: no results returned for filter: %q", filter)
+			log.Printf("ldap: no results returned for filter: %q", filter)
+			incorrectPass = true
+			return nil
 		case 1:
 		default:
 			return fmt.Errorf("ldap: filter returned multiple (%d) results: %q", n, filter)
@@ -335,6 +337,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
 	if err != nil {
 		return connector.Identity{}, false, err
 	}
+	if incorrectPass {
+		return connector.Identity{}, false, nil
+	}
 
 	// Encode entry for follow up requests such as the groups query and
 	// refresh attempts.
@@ -364,7 +369,7 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
 		return connector.Identity{}, false, err
 	}
 
-	return ident, !incorrectPass, nil
+	return ident, true, nil
 }
 
 func (c *ldapConnector) Groups(ident connector.Identity) ([]string, error) {
diff --git a/server/server.go b/server/server.go
index 603a23cb..3f347013 100644
--- a/server/server.go
+++ b/server/server.go
@@ -218,8 +218,9 @@ func (db passwordDB) Login(email, password string) (connector.Identity, bool, er
 	if err != nil {
 		if err != storage.ErrNotFound {
 			log.Printf("get password: %v", err)
+			return connector.Identity{}, false, err
 		}
-		return connector.Identity{}, false, err
+		return connector.Identity{}, false, nil
 	}
 	if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil {
 		return connector.Identity{}, false, nil
diff --git a/server/server_test.go b/server/server_test.go
index 009a8dc2..d3ba1e3e 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -657,10 +657,10 @@ func TestPasswordDB(t *testing.T) {
 			},
 		},
 		{
-			name:     "unknown user",
-			username: "john@example.com",
-			password: pw,
-			wantErr:  true,
+			name:        "unknown user",
+			username:    "john@example.com",
+			password:    pw,
+			wantInvalid: true,
 		},
 		{
 			name:        "invalid password",