This repository has been archived by the owner on Jul 30, 2024. It is now read-only.
Unambiguous non-existent user/invalid password messages via JSON. #673
Comments
|
@miniCruzer we should change the field validators to form validators. |
boytm
added a commit
to boytm/flask-security
that referenced
this issue
Oct 13, 2018
…exist' in /login error message, fix pallets-eco#673
jasco
pushed a commit
to jasco/flask-security
that referenced
this issue
Oct 3, 2023
* Fix backwards compat issues with permissions. Now - if an app uses fsqla_vX it just works. Added description in CHANGES on how apps that don't use fsqla_vX need to be modified. Added some tests to verify working with older DBs. The fsqlalchemy example was crazy - trying to use mocks made everything very complex. Converted to a simpler in-memory DB style testing. closes pallets-eco#673
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In addition to #357, Flask-Security gives attackers hints to whether the username or password is invalid. Even if you change
SECURITY_MSG_USER_DOES_NOT_EXISTandSECURITY_MSG_INVALID_PASSWORDto use ambiguous wording, talking to the login view via JSON (for example) will still give hints whether the email or password is incorrect.For an invalid password, the response looks like:
And a non existent user:
The text was updated successfully, but these errors were encountered: