Closed LoneRifle closed 1 year ago
When integrated: false, the auth callback in line 123 treats all errors the same, ie 500.
integrated: false
This includes InvalidCredentialsError, which really should be treated as an authentication failure, ie 401.
InvalidCredentialsError
Treating InvalidCredentialsError as auth failure is in-line with the spec written for strategies, as documented in https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L279 and https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L341.
PR's welcome
When
integrated: false
, the auth callback in line 123 treats all errors the same, ie 500.This includes
InvalidCredentialsError
, which really should be treated as an authentication failure, ie 401.Treating
InvalidCredentialsError
as auth failure is in-line with the spec written for strategies, as documented in https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L279 and https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L341.