From f49a0881bf6926f98f06ae7427acbe7da016ecce Mon Sep 17 00:00:00 2001 From: Daniel Schalla Date: Wed, 12 Jun 2019 18:35:53 +0200 Subject: [PATCH] Display Lockout Error to User (#11135) --- api4/user.go | 3 ++- api4/user_test.go | 12 ++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/api4/user.go b/api4/user.go index b5c03c91f4..87efd12fe2 100644 --- a/api4/user.go +++ b/api4/user.go @@ -1240,7 +1240,7 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { } func login(c *Context, w http.ResponseWriter, r *http.Request) { - // Translate all login errors to generic. MFA error being an exception, since it's required for the login flow itself + // Mask all sensitive errors, with the exception of the following defer func() { if c.Err == nil { return @@ -1254,6 +1254,7 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) { "api.user.login.client_side_cert.certificate.app_error", "api.user.login.inactive.app_error", "api.user.login.not_verified.app_error", + "api.user.check_user_login_attempts.too_many.app_error", } maskError := true diff --git a/api4/user_test.go b/api4/user_test.go index 95907859a4..9cfa9aeb0b 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -4220,13 +4220,13 @@ func TestLoginLockout(t *testing.T) { _, resp = th.Client.Login(th.BasicUser.Email, "wrong") CheckErrorMessage(t, resp, "api.user.login.invalid_credentials_email_username") _, resp = th.Client.Login(th.BasicUser.Email, "wrong") - CheckErrorMessage(t, resp, "api.user.login.invalid_credentials_email_username") + CheckErrorMessage(t, resp, "api.user.check_user_login_attempts.too_many.app_error") _, resp = th.Client.Login(th.BasicUser.Email, "wrong") - CheckErrorMessage(t, resp, "api.user.login.invalid_credentials_email_username") + CheckErrorMessage(t, resp, "api.user.check_user_login_attempts.too_many.app_error") //Check if lock is active _, resp = th.Client.Login(th.BasicUser.Email, th.BasicUser.Password) - CheckErrorMessage(t, resp, "api.user.login.invalid_credentials_email_username") + CheckErrorMessage(t, resp, "api.user.check_user_login_attempts.too_many.app_error") // Fake user has MFA enabled if result := <-th.Server.Store.User().UpdateMfaActive(th.BasicUser2.Id, true); result.Err != nil { @@ -4239,9 +4239,9 @@ func TestLoginLockout(t *testing.T) { _, resp = th.Client.LoginWithMFA(th.BasicUser2.Email, th.BasicUser2.Password, "000000") CheckErrorMessage(t, resp, "api.user.check_user_mfa.bad_code.app_error") _, resp = th.Client.LoginWithMFA(th.BasicUser2.Email, th.BasicUser2.Password, "000000") - CheckErrorMessage(t, resp, "api.user.login.invalid_credentials_email_username") + CheckErrorMessage(t, resp, "api.user.check_user_login_attempts.too_many.app_error") _, resp = th.Client.LoginWithMFA(th.BasicUser2.Email, th.BasicUser2.Password, "000000") - CheckErrorMessage(t, resp, "api.user.login.invalid_credentials_email_username") + CheckErrorMessage(t, resp, "api.user.check_user_login_attempts.too_many.app_error") // Fake user has MFA disabled if result := <-th.Server.Store.User().UpdateMfaActive(th.BasicUser2.Id, false); result.Err != nil { @@ -4250,5 +4250,5 @@ func TestLoginLockout(t *testing.T) { //Check if lock is active _, resp = th.Client.Login(th.BasicUser2.Email, th.BasicUser2.Password) - CheckErrorMessage(t, resp, "api.user.login.invalid_credentials_email_username") + CheckErrorMessage(t, resp, "api.user.check_user_login_attempts.too_many.app_error") }