jwt bad credentials gives too much information
stephengaudet opened this issue · 2 comments
found on branch "jwt-auth"
steps to reproduce:
- configure JWT authentication, note the credentials
- request a bearer token, but provide an incorrect username
expected result:
http error code 401. an empty error message is not bad. if a message is needed then nothing more than "Access Denied" or "Login Failed"
actual result:
error code 401. error message is too descriptive: "user username0 not found"
if an attacker is brute forcing a login, we've just told them the username they are using is no good and they can keep trying until they get a different error, thus knowing they've found a good username
@AbineshECAD I see now on the latest build, that when I use the wrong username I get back the message "Access denied". thank you for that change.
One more small change please. I see that when I supply the correct username, but wrong password, I get back no message.
I might have been more clear in this issue when I raised it. Whether the message is "Access Denied", "Login Failed", or empty message, are all fine and good. it is good to have the same message for when the username is not found, as when the username is found, but the password is incorrect. this way, a brute force does not know which of username or password they got wrong based on system output.