diff --git a/keyserver/src/responders/user-responders.js b/keyserver/src/responders/user-responders.js --- a/keyserver/src/responders/user-responders.js +++ b/keyserver/src/responders/user-responders.js @@ -284,7 +284,11 @@ } const username = request.username ?? request.usernameOrEmail; if (!username) { - throw new ServerError('invalid_parameters'); + if (hasMinCodeVersion(viewer.platformDetails, 150)) { + throw new ServerError('invalid_credentials'); + } else { + throw new ServerError('invalid_parameters'); + } } const userQuery = SQL` SELECT id, hash, username @@ -297,16 +301,19 @@ } = await promiseAll(promises); if (userResult.length === 0) { - throw new ServerError('invalid_parameters'); + if (hasMinCodeVersion(viewer.platformDetails, 150)) { + throw new ServerError('invalid_credentials'); + } else { + throw new ServerError('invalid_parameters'); + } } + const userRow = userResult[0]; + if (!userRow.hash || !bcrypt.compareSync(request.password, userRow.hash)) { - if (hasMinCodeVersion(viewer.platformDetails, 99999)) { - throw new ServerError('invalid_parameters'); - } else { - throw new ServerError('invalid_credentials'); - } + throw new ServerError('invalid_credentials'); } + const id = userRow.id.toString(); return await processSuccessfulLogin(viewer, input, id, calendarQuery); } diff --git a/keyserver/src/utils/validation-utils.js b/keyserver/src/utils/validation-utils.js --- a/keyserver/src/utils/validation-utils.js +++ b/keyserver/src/utils/validation-utils.js @@ -18,14 +18,19 @@ if (!viewer.isSocket) { await checkClientSupported(viewer, inputValidator, input); } - checkInputValidator(inputValidator, input); + checkInputValidator(viewer, inputValidator, input); } -function checkInputValidator(inputValidator: *, input: *) { +function checkInputValidator(viewer: Viewer, inputValidator: *, input: *) { if (!inputValidator || inputValidator.is(input)) { return; } - const error = new ServerError('invalid_parameters'); + let error; + if (hasMinCodeVersion(viewer.platformDetails, 150)) { + error = new ServerError('invalid_credentials'); + } else { + error = new ServerError('invalid_parameters'); + } error.sanitizedInput = input ? sanitizeInput(inputValidator, input) : null; throw error; }