Closed LoneRifle closed 1 year ago
When integrated: false, the auth callback in line 123 treats all errors the same, ie 500.
integrated: false
This includes InvalidCredentialsError, which really should be treated as an authentication failure, ie 401.
InvalidCredentialsError
Treating InvalidCredentialsError as auth failure is in-line with the spec written for strategies, as documented in https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L279 and https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L341.
PR's welcome
bhoriuchi
commented
1 year ago bhoriuchi
commented
1 year ago
When
integrated: false, the auth callback in line 123 treats all errors the same, ie 500.This includes
InvalidCredentialsError, which really should be treated as an authentication failure, ie 401.Treating
InvalidCredentialsErroras auth failure is in-line with the spec written for strategies, as documented in https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L279 and https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L341.