diff --git a/lib/models/authenticator.js b/lib/models/authenticator.js index 87aaa16c1..19382e54b 100644 --- a/lib/models/authenticator.js +++ b/lib/models/authenticator.js @@ -140,7 +140,9 @@ class PasswordAuthenticator extends Authenticator { }) .then(foundUser => { if (!foundUser) { - error = new Error('No user found for that username') + // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13) + // https://cwe.mitre.org/data/definitions/200.html + error = new Error('Invalid username/password combination.') // no detail for security 'No user found for that username') error.statusCode = 400 throw error } @@ -151,7 +153,9 @@ class PasswordAuthenticator extends Authenticator { }) .then(validUser => { if (!validUser) { - error = new Error('User found but no password match') + // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13) + // https://cwe.mitre.org/data/definitions/200.html + error = new Error('Invalid username/password combination.') // no detail for security 'User found but no password match') error.statusCode = 400 throw error } diff --git a/test/unit/password-authenticator-test.js b/test/unit/password-authenticator-test.js index 0438bb757..584cbb214 100644 --- a/test/unit/password-authenticator-test.js +++ b/test/unit/password-authenticator-test.js @@ -90,7 +90,7 @@ describe('PasswordAuthenticator', () => { pwAuth.findValidUser() .catch(error => { expect(error.statusCode).to.equal(400) - expect(error.message).to.equal('No user found for that username') + expect(error.message).to.equal('Invalid username/password combination.') done() }) }) @@ -111,7 +111,7 @@ describe('PasswordAuthenticator', () => { pwAuth.findValidUser() .catch(error => { expect(error.statusCode).to.equal(400) - expect(error.message).to.equal('User found but no password match') + expect(error.message).to.equal('Invalid username/password combination.') done() }) })