viniciusuriel
commented
2 years ago Nice, I have been very busy this week, but I will integrate it as soon as possible.
Closed dla-c-box closed 2 years ago
viniciusuriel
commented
2 years ago Nice, I have been very busy this week, but I will integrate it as soon as possible.
e.g. If you try to login with username "xyz" and that this user is not found in the DB, the ResultSet of the query trying to fetch the password hash for this user will be empty (i.e. 0 rows returned) and Keycloak would show an error similar to the following to the end user (with a long stack trace in the server log):
This PR fixes this problem in readString (used to get the password), and the same weakness found in readInt and readBoolean.
Also, BCrypt.checkpw requires a hash that contains some characters, and we don't have any hash if the user is not found, so validateCredentials will just return false in that scenario (i.e. the user is not found, so the credentials are not valid).