generator-jhipster: Security: /authenticate endpoint returns information about users in the database
Overview of the feature request
Obfuscate the login response for accounts that do not exist in the database (Jhipster 7.9.3)
Motivation for or Use Case
Currently, when logging in with non-existing user, the API response is:
{
"type" : "https://www.jhipster.tech/problem/problem-with-message",
"title" : "Unauthorized",
"status" : 401,
"detail" : "User thisisanonexistinguser was not found in the database",
"path" : "/api/authenticate",
"message" : "error.http.401"
}
This creates an attack vector for the malicious user who can use this to enumerate users stored in the database.
Proposed solution
The solution would be to respond with a generic “invalid username or password” message.
Related issues or PR
Didn’t find similar issues
- [X ] Checking this box is mandatory (this is just to show you read everything)
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 36 (25 by maintainers)
Commits related to this issue
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to atomfrede/generator-jhipster by atomfrede a year ago
- prevent leakage of user information via api closes #21731 — committed to BrayanMnz/generator-jhipster by atomfrede a year ago
- do not hide registration errors (login/email already used) relates to #21731 — committed to atomfrede/generator-jhipster by atomfrede 8 months ago
- do not hide registration errors (login/email already used) relates to #21731 — committed to atomfrede/generator-jhipster by atomfrede 8 months ago
- do not hide registration errors (login/email already used) relates to #21731 — committed to atomfrede/generator-jhipster by atomfrede 8 months ago
Will do it now 😄 I have some time, children are sleeping already
Need to prepare the PR
Still working on it. Hope to get back to it this week(end).
@atomfrede I agree that we shouldn’t give the end user any additional information before they authenticate successfully.
Yes, I have the reactive gateway (thought it’s the only option, but it seems you can generate gateway using the “old way” as well)
@atomfrede
npm cito recreate node_modules. An I create a bash alias fromjhipsterto thegenerator-jhipster/bin/jhipster.mjs(absolute path) to avoid recompiling every time.