aiden
/
memos
mirror of https://github.com/usememos/memos
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: login security issue (#1198)

Browse Source 
* fix

* fix bug

* changes

* Revert "changes"

This reverts commit 2b2084c7bd.

* should close the toast if its error also

* no internal errors + sso

* change the text to Incorrect login credentials, please try again
pull/1229/head
Thareek Anvar M 2 years ago committed by GitHub
parent 6dab43523d
commit e83ea7fd76
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File

8
server/auth.go
Unescape Escape View File

@ -31,10 +31,10 @@ func (s *Server) registerAuthRoutes(g *echo.Group) {
} }
user, err := s.Store.FindUser(ctx, userFind) user, err := s.Store.FindUser(ctx, userFind)
if err != nil && common.ErrorCode(err) != common.NotFound { if err != nil && common.ErrorCode(err) != common.NotFound {
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find user by username %s", signin.Username)).SetInternal(err) return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
} }
if user == nil { if user == nil {
return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("User not found with username %s", signin.Username)) return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
} else if user.RowStatus == api.Archived { } else if user.RowStatus == api.Archived {
return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", signin.Username)) return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", signin.Username))
} }
@ -42,7 +42,7 @@ func (s *Server) registerAuthRoutes(g *echo.Group) {
// Compare the stored hashed password, with the hashed version of the password that was received. // Compare the stored hashed password, with the hashed version of the password that was received.
if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(signin.Password)); err != nil { if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(signin.Password)); err != nil {
// If the two passwords don't match, return a 401 status. // If the two passwords don't match, return a 401 status.
return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect password").SetInternal(err) return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
} }
if err = setUserSession(c, user); err != nil { if err = setUserSession(c, user); err != nil {
@ -99,7 +99,7 @@ func (s *Server) registerAuthRoutes(g *echo.Group) {
Username: &userInfo.Identifier, Username: &userInfo.Identifier,
}) })
if err != nil && common.ErrorCode(err) != common.NotFound { if err != nil && common.ErrorCode(err) != common.NotFound {
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find user by username %s", userInfo.Identifier)).SetInternal(err) return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
} }
if user == nil { if user == nil {
userCreate := &api.UserCreate{ userCreate := &api.UserCreate{

2
web/src/components/Toast.tsx
Unescape Escape View File

@ -94,7 +94,7 @@ const initialToastHelper = () => {
return showToast({ type: "success", content, duration }); return showToast({ type: "success", content, duration });
}; };
const error = (content: string, duration = -1) => { const error = (content: string, duration = 5000) => {
return showToast({ type: "error", content, duration }); return showToast({ type: "error", content, duration });
}; };

Write Preview
Loading…
Cancel
Save