这是indexloc提供的服务,不要输入任何密码
Skip to content

prevent leakage of user information via api #22373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 3, 2023
Merged

prevent leakage of user information via api #22373

merged 1 commit into from
Jun 3, 2023

Conversation

@atomfrede
Copy link
Member

@atomfrede atomfrede commented May 31, 2023

This PR does two things:

For imperative and reactive during registration we do not expose an error (e.g. username already exists) via the api. Therefore for the caller successful registration and failed registration look the same, so there is no way (except some sophisticated things like measuring response times) to gain knowledge about existing users and emails.

Second thing is only for reactive as for imperative spring security already took care of it.
In case authentication fails we do not expose the exact error to the caller/the api (e.g. invalid password) as this would also reveal that the login was correct. The generic error now only states Invalid credentials which is the same for non reactive apps.

closes #21731

Please make sure the below checklist is followed for Pull Requests.

When you are still working on the PR, consider converting it to Draft (below reviewers) and adding skip-ci label, you can still see CI build result at your branch.

@atomfrede atomfrede force-pushed the 21731-do-not-expose-information-about-existing-or-not-existing-users branch 2 times, most recently from 82081d8 to 6684d4a Compare May 31, 2023 20:09
@atomfrede
Copy link
Member Author

atomfrede commented Jun 1, 2023

Will check the failing tests later today. Seems to have something to do with microservices.

@atomfrede atomfrede force-pushed the 21731-do-not-expose-information-about-existing-or-not-existing-users branch 8 times, most recently from f121b7f to d57cf7a Compare June 2, 2023 19:28
@atomfrede
Copy link
Member Author

atomfrede commented Jun 2, 2023
edited
Loading

Don't know whats the remaining issue with the failing test as gradle does not print the failing assertation. I have again issues setting up my development setup, can't generate any applications right now :(

Not nice, but I adapted the assertion to both possible results.

@atomfrede atomfrede force-pushed the 21731-do-not-expose-information-about-existing-or-not-existing-users branch from d57cf7a to 83b3606 Compare June 2, 2023 20:26
@atomfrede atomfrede force-pushed the 21731-do-not-expose-information-about-existing-or-not-existing-users branch from 83b3606 to 8264ec3 Compare June 3, 2023 06:02
@DanielFran DanielFran merged commit e8618c4 into jhipster:main Jun 3, 2023
@DanielFran DanielFran added this to the 8.0.0-beta.1 milestone Jun 3, 2023
@atomfrede
Copy link
Member Author

atomfrede commented Jun 6, 2023

bounty claimed https://opencollective.com/generator-jhipster/expenses/142737

@DanielFran
Copy link
Member

DanielFran commented Jun 6, 2023

@atomfrede approved

@mshima mshima mentioned this pull request Oct 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DanielFran DanielFran DanielFran approved these changes

Assignees

No one assigned

Labels

pr: bug-fix theme: java theme: reactive ⚛️ Spring WebFlux theme: security

Projects

None yet

Milestone

8.0.0-beta.1

Development

Successfully merging this pull request may close these issues.

Security: /authenticate endpoint returns information about users in the database

2 participants

@atomfrede @DanielFran