-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Fix SSL cert check on non-standard ports and login user enumeration #3726
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -220,12 +220,17 @@ export class UserService implements IUserService { | |
|
|
||
| loginUser = async (email: string, password: string) => { | ||
| // Check if user exists | ||
| const user = await this.usersRepository.findByEmail(email); | ||
| let user; | ||
| try { | ||
| user = await this.usersRepository.findByEmail(email); | ||
| } catch { | ||
| throw new AppError({ message: "Incorrect email or password", service: SERVICE_NAME, status: 401 }); | ||
| } | ||
|
Comment on lines
+224
to
+228
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This doesn't resolve the enumeration problem. Attackers can still determine if they have found a correct email credential, as bcrypt is still awaited after the user lookup. If you want to fully resolve the enumeration issue then a dummy value needs to be hashed on the user not found path. Additionally, this catch block is too broad, it classifies all errors thrown by the repository as email/password errors. This should be narrowed appropriately. |
||
| // Compare password | ||
| const match = await bcrypt.compare(password, user.password); | ||
|
|
||
| if (match !== true) { | ||
| throw new AppError({ message: "Incorrect password", service: SERVICE_NAME, status: 401 }); | ||
| throw new AppError({ message: "Incorrect email or password", service: SERVICE_NAME, status: 401 }); | ||
| } | ||
|
|
||
| // Remove password from user object. Should this be abstracted to DB layer? | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pretty convoluted way of expressing that port should not be added here if not specificed.
seems clearer to me 🤔