Genericize invalid username or password message

#133 The message given to the user upon an invalid login attempt, for security reasons, should not reveal that the username or password was incorrect. Rather, a generic message should be displayed when the username or password is incorrect.
meanjs · Aug 14, 2014 · aeb0272 · aeb0272
1 parent 2c319c5
commit aeb0272
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/config/strategies/local.js b/config/strategies/local.js
@@ -22,17 +22,17 @@ module.exports = function() {
 				}
 				if (!user) {
 					return done(null, false, {
-						message: 'Unknown user'
+						message: 'Unknown user or invalid password'
 					});
 				}
 				if (!user.authenticate(password)) {
 					return done(null, false, {
-						message: 'Invalid password'
+						message: 'Unknown user or invalid password'
 					});
 				}
 
 				return done(null, user);
 			});
 		}
 	));
-};
+};