The WebUI login page always shows the same error message even though the login API endpoint returns useful error messages.
Steps to reproduce
Attempt to login to the qBitTorrent WebUI several times with an invalid username and password combination.
a. Open Dev tools network tab to observe the XHR network requests.
After 5 invalid login attempts, /api/v2/auth/login will return a different error message, but the WebUI will not show it to the user.
Additional context
Invalid passwords, not banned, returns HTTP 200 with a responseText of "Fails."
Any password after banning, returns HTTP 403 with a responseText of "Your IP address has been banned after too many failed authentication attempts."
Regardless of the error message or status code, the only error shown in the WebUI login page is "Invalid Username or Password"
It looks like there is code intended to pass through (at least some) error messages in login.js L46-L50
I think perhaps the best solution might be to have invalid passwords return a HTTP 403, as well as the desired error string "Invalid Username or Password." then update the Line 43 in that file to pass through whatever string the server returned for showing the user the error?
It would make the javascript more of a presentation layer for the backend, so if future error messages are added, no changes are needed to login.js.
I see no security drawbacks to surfacing these errors, because they're already returned by the API. It's just clearer what' precisely has gone wrong during login, using errors we're already returning.
qBittorrent & operating system versions
qBittorrent: 5.0.1 x64 Operating system: Gentoo Linux Qt: 6.7.2 libtorrent-rasterbar: 2.0.10
What is the problem?
The WebUI login page always shows the same error message even though the login API endpoint returns useful error messages.
Steps to reproduce
/api/v2/auth/loginwill return a different error message, but the WebUI will not show it to the user.Additional context
Invalid passwords, not banned, returns HTTP 200 with a responseText of "Fails." Any password after banning, returns HTTP 403 with a responseText of "Your IP address has been banned after too many failed authentication attempts."
Regardless of the error message or status code, the only error shown in the WebUI login page is "Invalid Username or Password"
It looks like there is code intended to pass through (at least some) error messages in login.js L46-L50
I think perhaps the best solution might be to have invalid passwords return a HTTP 403, as well as the desired error string "Invalid Username or Password." then update the Line 43 in that file to pass through whatever string the server returned for showing the user the error?
It would make the javascript more of a presentation layer for the backend, so if future error messages are added, no changes are needed to login.js.
I see no security drawbacks to surfacing these errors, because they're already returned by the API. It's just clearer what' precisely has gone wrong during login, using errors we're already returning.
Log(s) & preferences file(s)
N/A