From 89b5f1318495ae0560c9b9ac00b5b38287584497 Mon Sep 17 00:00:00 2001
From: bourgeoa <alain.bourgeois10@gmail.com>
Date: Thu, 22 Feb 2024 11:44:29 +0100
Subject: [PATCH] fix security issue

---
 lib/models/authenticator.js              | 8 ++++++--
 test/unit/password-authenticator-test.js | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/models/authenticator.js b/lib/models/authenticator.js
index 87aaa16c1..19382e54b 100644
--- a/lib/models/authenticator.js
+++ b/lib/models/authenticator.js
@@ -140,7 +140,9 @@ class PasswordAuthenticator extends Authenticator {
       })
       .then(foundUser => {
         if (!foundUser) {
-          error = new Error('No user found for that username')
+          // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
+          // https://cwe.mitre.org/data/definitions/200.html
+          error = new Error('Invalid username/password combination.') // no detail for security 'No user found for that username')
           error.statusCode = 400
           throw error
         }
@@ -151,7 +153,9 @@ class PasswordAuthenticator extends Authenticator {
       })
       .then(validUser => {
         if (!validUser) {
-          error = new Error('User found but no password match')
+          // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
+          // https://cwe.mitre.org/data/definitions/200.html
+          error = new Error('Invalid username/password combination.') // no detail for security 'User found but no password match')
           error.statusCode = 400
           throw error
         }
diff --git a/test/unit/password-authenticator-test.js b/test/unit/password-authenticator-test.js
index 0438bb757..584cbb214 100644
--- a/test/unit/password-authenticator-test.js
+++ b/test/unit/password-authenticator-test.js
@@ -90,7 +90,7 @@ describe('PasswordAuthenticator', () => {
       pwAuth.findValidUser()
         .catch(error => {
           expect(error.statusCode).to.equal(400)
-          expect(error.message).to.equal('No user found for that username')
+          expect(error.message).to.equal('Invalid username/password combination.')
           done()
         })
     })
@@ -111,7 +111,7 @@ describe('PasswordAuthenticator', () => {
       pwAuth.findValidUser()
         .catch(error => {
           expect(error.statusCode).to.equal(400)
-          expect(error.message).to.equal('User found but no password match')
+          expect(error.message).to.equal('Invalid username/password combination.')
           done()
         })
     })