Closed ekryski closed 7 years ago
I don't think it should leak information about whether or not the user exists. Just a plain not-authenticated error.
Actually, I just tested on a newly-generated project, and I'm not experiencing this same error. It's returning an actual feathers-errors
401.
I'm using "feathers-authentication-local": "^0.3.4",
Yes but it just says "Error" as the message. It should at least say something like "Invalid login"
Looks like it starts here: https://github.com/feathersjs/feathers-authentication-local/blob/master/src/verifier.js#L58
After _normalizeResult
, it lands in the catch
block, here: https://github.com/feathersjs/feathers-authentication-local/blob/master/src/verifier.js#L81. Since error was false
it runs the else
in the ternary. I think all we have to do is return a third argument. I'll make a PR.
I fixed the problem in #25, but we will need to put a conditional in the sinon.stub here: https://github.com/feathersjs/feathers-authentication-local/blob/master/test/verifier.test.js#L28 in order to fix the test.
Thanks for digging in @marshallswain. I left a comment on #25.
Steps to reproduce
Attempt to authenticate with a username and password that don't exist.
Expected behavior
It should return a proper UnAuthorized error with a nice error message as to what the problem is.
Actual behavior
It returns an error object without an error message.
System configuration
Module versions (especially the part that's not working): feathers-authentication-local@0.3.3
NodeJS version: All
Operating System: All
Browser Version: All
React Native Version: All
Module Loader: All