dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

security: Fix user enumeration vulnerability in login

Browse Source 
- Unify error messages for invalid username and incorrect password
- Both return 401 status with 'Invalid username or password'
- Prevent attackers from enumerating valid usernames
- Maintain detailed logging for debugging purposes
- Changed from 404 'User not found' to generic auth failure message
This commit is contained in:
ZacharyZcR
2025-11-09 09:16:11 +08:00
parent f8d07c1552
commit a70ad7c6b7
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/backend/database/routes/users.ts
View File

@@ -896,11 +896,11 @@ router.post("/login", async (req, res) => {
.where(eq(users.username, username)); .where(eq(users.username, username));
if (!user || user.length === 0) { if (!user || user.length === 0) {
authLogger.warn(`User not found: ${username}`, { authLogger.warn(`Login failed: user not found`, {
operation: "user_login", operation: "user_login",
username, username,
}); });
return res.status(404).json({ error: "User not found" }); return res.status(401).json({ error: "Invalid username or password" });
} }
const userRecord = user[0]; const userRecord = user[0];
@@ -918,12 +918,12 @@ router.post("/login", async (req, res) => {
const isMatch = await bcrypt.compare(password, userRecord.password_hash); const isMatch = await bcrypt.compare(password, userRecord.password_hash);
if (!isMatch) { if (!isMatch) {
authLogger.warn(`Incorrect password for user: ${username}`, { authLogger.warn(`Login failed: incorrect password`, {
operation: "user_login", operation: "user_login",
username, username,
userId: userRecord.id, userId: userRecord.id,
}); });
return res.status(401).json({ error: "Incorrect password" }); return res.status(401).json({ error: "Invalid username or password" });
} }
try { try {