mystiq/dex
Archived
4
0
Fork 1
Code Issues Pull requests Packages Projects Releases Wiki Activity

*: don't error out if a username doesn't exist in the backing connector

Browse source 
Instead of throwing a 500 error if a user enters an invalid name,
display the same text box as if the user had entered the wrong
password.

NOTE: An invalid username now returns much quicker than an invalid
password. Consider adding an arbitrary sleep in the future if we
care about masking which was invalid.
This commit is contained in:
Eric Chiang 2016-11-01 14:03:22 -07:00
parent 2a9051c864
commit 57a59d4631
3 changed files with 13 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
connector/ldap/ldap.go
View file

@ -310,7 +310,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
switch n := len(resp.Entries); n { switch n := len(resp.Entries); n {
case 0: case 0:
return fmt.Errorf("ldap: no results returned for filter: %q", filter) log.Printf("ldap: no results returned for filter: %q", filter)
incorrectPass = true
return nil
case 1: case 1:
default: default:
return fmt.Errorf("ldap: filter returned multiple (%d) results: %q", n, filter) return fmt.Errorf("ldap: filter returned multiple (%d) results: %q", n, filter)
@ -335,6 +337,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
if err != nil { if err != nil {
return connector.Identity{}, false, err return connector.Identity{}, false, err
} }
if incorrectPass {
return connector.Identity{}, false, nil
}
// Encode entry for follow up requests such as the groups query and // Encode entry for follow up requests such as the groups query and
// refresh attempts. // refresh attempts.
@ -364,7 +369,7 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
return connector.Identity{}, false, err return connector.Identity{}, false, err
} }
return ident, !incorrectPass, nil return ident, true, nil
} }
func (c *ldapConnector) Groups(ident connector.Identity) ([]string, error) { func (c *ldapConnector) Groups(ident connector.Identity) ([]string, error) {

3
server/server.go
View file

@ -218,8 +218,9 @@ func (db passwordDB) Login(email, password string) (connector.Identity, bool, er
if err != nil { if err != nil {
if err != storage.ErrNotFound { if err != storage.ErrNotFound {
log.Printf("get password: %v", err) log.Printf("get password: %v", err)
return connector.Identity{}, false, err
} }
return connector.Identity{}, false, err return connector.Identity{}, false, nil
} }
if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil { if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil {
return connector.Identity{}, false, nil return connector.Identity{}, false, nil

8
server/server_test.go
View file

@ -657,10 +657,10 @@ func TestPasswordDB(t *testing.T) {
}, },
}, },
{ {
name: "unknown user", name: "unknown user",
username: "john@example.com", username: "john@example.com",
password: pw, password: pw,
wantErr: true, wantInvalid: true,
}, },
{ {
name: "invalid password", name: "invalid password",