For the first and second case, return a different, more explicit message in: No account matching email and password found.. The same message must be returned in both cases to mitigate brute force attacks that try and guess users' emails.
In the case an error is thrown, omit the try/catch block here, let the error middleware take care of it.
Should become something like the following code.
const user = ctx.request.body
const usersController = new AccountsController(ctx.logger, verifiedAccount, pwnedCheckerRoot)
const response = await usersController.get(user.email)
if (!response)
throw new AccountNotFound()
const passwordsMatch = await verify(user.password, response.password) // if we refactor verify
if (!passwordsMatch)
throw new AccountNotFound()
const token = await getToken(user.email, Token.Login)
ctx.body = { token, issuer: response.issuer }
Login currently returns
Resource Not Foundfor anything that isn't a success case, for example:https://github.com/poetapp/frost-api/blob/58135e73c2795580979ccfedfea7c42c2f1a6328/src/api/accounts/Login.ts#L18-L39
For the first and second case, return a different, more explicit message in:
No account matching email and password found.. The same message must be returned in both cases to mitigate brute force attacks that try and guess users' emails.In the case an error is thrown, omit the
try/catchblock here, let the error middleware take care of it.Should become something like the following code.