HomePhabricator
Diffusion Comm ce7bc1377e20

[web][native][keyserver] Changing login screen so it displays identical error…
ce7bc1377e20
Actions

Description

[web][native][keyserver] Changing login screen so it displays identical error on wrong username and/or password.

Summary:
Solving issue: https://linear.app/comm/issue/ENG-2047/[web]-[native][keyserver][security]-on-login-wrong-user-and-wrong
Keyserver returns only "invalid_parameters" instead of either "invalid_parameters" or "invalid_credentials". So it is impossible to say which of the fields was wrong based on the error.
As Tomek mentioned it is still possible to perform timing attack but it will be taken care of in another issue on Linear. On web and native we are reacting to "invalid_parameters" displaying message about incorrect credentials, not specifying which one was incorrect.

Screenshot 2022-10-14 at 14.55.35.png (340×606 px, 116 KB)

Screenshot 2022-10-14 at 14.55.12.png (538×492 px, 33 KB)

Test Plan:
Built app.
Tested all scenarios and verified that correct thing is displayed.

Reviewers: tomek, ashoat, kamil, atul

Reviewed By: tomek, ashoat

Subscribers: abosh, atul, kamil, ashoat, tomek

Differential Revision: https://phab.comm.dev/D5368

Details

Provenance
przemekAuthored on Oct 14 2022, 5:38 AM
Reviewer
tomek
Differential Revision
D5368: [web][native][keyserver] Changing login screen so it displays identical error on wrong username and/or password.
Parents
rCOMMbf99526d43e5: [yarn] Bump `sqlite3` to version with prebuilt aarch64 binaries
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
keyserver/
src/
responders/
native/
account/
web/
account/

rCOMMce7bc1377e20

View Options

keyserver/src/responders/user-responders.js

Loading...
View Options

native/account/log-in-panel.react.js

Loading...
View Options

web/account/log-in-form.react.js

Loading...