Merge pull request #575 from pgrodrigues/0.4.0

Abstract the local strategy login error to thwart hackers
2026-03-10 22:20:29 +01:00 · 2015-06-03 19:39:19 -04:00
parent 716925b29f e11ffda6e5
commit cd5db4ad4d
1 changed files with 2 additions and 7 deletions
--- a/modules/users/server/config/strategies/local.js
+++ b/modules/users/server/config/strategies/local.js
@@ -20,14 +20,9 @@ module.exports = function() {
 				if (err) {
 					return done(err);
 				}
-				if (!user) {
+				if (!user || !user.authenticate(password)) {
 					return done(null, false, {
-						message: 'Unknown user'
-					});
-				}
-				if (!user.authenticate(password)) {
-					return done(null, false, {
-						message: 'Invalid password'
+						message: 'Invalid username or password'
 					});
 				}