binarylogic
Wrong error message when valid email format of not existing user and fake password provided
ISSUES THAT DO NOT FOLLOW THIS TEMPLATE WILL BE CLOSED IMMEDIATELY.
- [X] This is not a usage question.
- Our volunteers' time is limited, so please ask usage questions on StackOverflow.
- [X] This is not a security issue.
- Do not disclose security issues in public. See our contributing guide for instructions.
- [X] This bug is reproducible with a clean install of authlogic
- [X] I am committed to fixing this in a reasonable amount of time, and responding promptly to feedback.
Expected Behavior
For the login form. If the email of a not existing user is in the correct format (for example [email protected]) and a fake password is provided the error notification says: "Email is not valid".
(rdbg) @user_session # ruby
#<UserSession: {:email=>"[email protected]", :password=>"<protected>"}>
(rdbg) @user_session.errors # ruby
#<ActiveModel::Errors [#<ActiveModel::Error attribute=email, type=is not valid, options={}>]>
Additionally, the error message can't be translated using official translation keys. Other errors can be translated successfuly.
pl:
authlogic:
error_messages:
...
email_invalid: xxx should look like an email address.
...
Actual Behavior
The actual error message should be of type general_credentials_error because the email is valid. It simply doesn't exist in the database, but that information should not be exposed.
I experienced essentially this same issue.
When the email is valid and exists in the database, and the password is incorrect, I would receive an error that the password is invalid. When the email is valid but does not exist in the database, I would receive an error that the email is invalid.
I am surprised that this is the default behavior. This is a security flaw that can be exploited to reveal the presence of email addresses in your application's database. This should really not be the default.
I had to do some digging in the code to find where this can be changed. The solution was to add the following to my UserSession class:
class UserSession < Authlogic::Session::Base
generalize_credentials_error_messages true
end
When generalize_credentials_error_messages is set to true, a generic error message will be added by add_invalid_password_error when a login fails regardless of whether the email address was present in the database, ex. "Email/Password combination is not valid". I have tested this change, and I am now seeing a generic error message, as desired.
Per the comments in the code, you can also add a custom message like so:
class UserSession < AuthLogic::Session::Base
generalize_credentials_error_messages "Your login information is invalid"
end
For il8n, it looks like this would be the way to change the message, but I have not tested this:
en:
authlogic:
error_messages:
# ...
general_credentials_error: Email/Password combination is not valid
# ...
It looks like the code will perform the translation accordingly, though: https://github.com/binarylogic/authlogic/blob/ef95d13b3f3ee846b54bc2510714f5e2fe84515a/lib/authlogic/session/base.rb#L1596
