Existing error messages allow for user enumeration
Closed this issue · 0 comments
ross-u commented
Issue
When running npx ironlauncher@latest <project-name> --auth --json
, the created templates are using two different error messages on the login route that may allow for user enumeration.
Details
-
The following error message is returned as a reponse when the user is not found in the database:
-
The following error message is returned as a reponse when the user provides an incorrect password.
Solution
To address the possibility of user enumeration, rename the error messages to be generic and not reveal specific information about the error.
res.status(401).json({ message: "Authentication failed." });
res.status(401).json({ message: "Authentication failed." });
This will ensure that the error messages do not give away specific information about the cause of authentication failure and prevent user enumeration.