Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It looks like the server is returning different responses for bad username and bad password #2148

Closed
webbnh opened this issue Mar 24, 2021 · 3 comments · Fixed by #2198
Closed

It looks like the server is returning different responses for bad username and bad password #2148

webbnh opened this issue Mar 24, 2021 · 3 comments · Fixed by #2198
Assignees
@npalaska
Labels
API Of and relating to application programming interfaces to services and functions bug Server
Milestone
v0.71

Comments

@webbnh
Copy link
Member

webbnh commented Mar 24, 2021

It looks like we're returning different responses for bad username and bad password (same message, but different statuses). I don't think we want the user to be able to distinguish between them.

Originally posted by @webbnh in #1937 (comment)
@webbnh
Copy link
Member Author

webbnh commented Mar 24, 2021
edited
Loading

Interestingly, Flask may be doing the something similar, although, I think they are doing the reverse: they are returning 401 for a non-existent user and 403 for unauthorized credentials, whereas we are returning 401 for a bad password and 403 for a bad username.

@webbnh webbnh changed the title It looks like the server is returning different responses for bad username and bad password (same message, but different statuses). I don't think we want the user to be able to distinguish between them. It looks like the server is returning different responses for bad username and bad password Mar 24, 2021
@portante portante mentioned this issue Mar 25, 2021
Merged
@portante portante added Backlog API Of and relating to application programming interfaces to services and functions labels Mar 25, 2021
@npalaska
Copy link
Member

@webbnh interesting, btw its not flask but an author of the Flask-HTTPAuth package. When I wrote that status code I followed https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401, it says 401 is for when the request lacks valid authentication credentials (such as bad password). 403 is forbidden and re-authenticating will make no difference (because we dont have such a user)

@portante
Copy link
Member

Based on https://stackoverflow.com/questions/32752578/whats-the-appropriate-http-status-code-to-return-if-a-user-tries-logging-in-wit, we should be always returning a 401 stating "bad user or password", but not indicating which.

403 is for a operation that is attempting to execute some action requiring access, but is denied (either because the client is not authenticated, or is authenticated but the authenticated user does not have access).

@npalaska npalaska mentioned this issue Apr 1, 2021
Merged
@npalaska npalaska linked a pull request Apr 1, 2021 that will close this issue
Return same status code for bad username and bad password #2198
Merged
@portante portante removed the Backlog label Oct 30, 2021
@portante portante added this to the v0.71 milestone May 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@npalaska npalaska

Labels
API Of and relating to application programming interfaces to services and functions bug Server
Projects
None yet
Milestone
v0.71
Development

Successfully merging a pull request may close this issue.

Return same status code for bad username and bad password npalaska/pbench
3 participants
@portante @webbnh @npalaska