Skip to content

Commit

Permalink
fix security issue
Browse files Browse the repository at this point in the history
  • Loading branch information
bourgeoa committed Feb 22, 2024
1 parent 7ae2bcc commit 89b5f13
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
8 changes: 6 additions & 2 deletions lib/models/authenticator.js
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,9 @@ class PasswordAuthenticator extends Authenticator {
})
.then(foundUser => {
if (!foundUser) {
error = new Error('No user found for that username')
// CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
// https://cwe.mitre.org/data/definitions/200.html
error = new Error('Invalid username/password combination.') // no detail for security 'No user found for that username')
error.statusCode = 400
throw error
}
Expand All @@ -151,7 +153,9 @@ class PasswordAuthenticator extends Authenticator {
})
.then(validUser => {
if (!validUser) {
error = new Error('User found but no password match')
// CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
// https://cwe.mitre.org/data/definitions/200.html
error = new Error('Invalid username/password combination.') // no detail for security 'User found but no password match')
error.statusCode = 400
throw error
}
Expand Down
4 changes: 2 additions & 2 deletions test/unit/password-authenticator-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ describe('PasswordAuthenticator', () => {
pwAuth.findValidUser()
.catch(error => {
expect(error.statusCode).to.equal(400)
expect(error.message).to.equal('No user found for that username')
expect(error.message).to.equal('Invalid username/password combination.')
done()
})
})
Expand All @@ -111,7 +111,7 @@ describe('PasswordAuthenticator', () => {
pwAuth.findValidUser()
.catch(error => {
expect(error.statusCode).to.equal(400)
expect(error.message).to.equal('User found but no password match')
expect(error.message).to.equal('Invalid username/password combination.')
done()
})
})
Expand Down

0 comments on commit 89b5f13

Please sign in to comment.