You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently when a user attempts login before registration, we respond with 403 and an empty string message.
In cases where a user was registered and bound to a 3pid already, we return "Invalid Password" as a message.
2 issues arise from this behavior:
- The major one is user existence leak. Having 2 different error messages for unregistered users and registered users who've entered the wrong password essentially leaks the information about that particular user's existence.
- While another issue is having a non-informative error message in the current approach. As the user wasn't yet registered, it has no password, so essentially no password is valid, implying the need to return "Invalid Password" instead of just "".
