Wrong error message when valid email format of not existing user and fake password provided

[meceo]

ISSUES THAT DO NOT FOLLOW THIS TEMPLATE WILL BE CLOSED IMMEDIATELY.

• This is not a usage question.
  • Our volunteers' time is limited, so please ask usage questions on
    StackOverflow.
• This is not a security issue.
  • Do not disclose security issues in public. See our contributing
    guide
    for instructions.
• This bug is reproducible with a clean install of authlogic
• I am committed to fixing this in a reasonable amount of time, and
  responding promptly to feedback.

Expected Behavior

For the login form. If the email of a not existing user is in the correct format (for example [email protected]) and a fake password is provided the error notification says: "Email is not valid".

(rdbg) @user_session    # ruby
#<UserSession: {:email=>"[email protected]", :password=>"<protected>"}>
(rdbg) @user_session.errors    # ruby
#<ActiveModel::Errors [#<ActiveModel::Error attribute=email, type=is not valid, options={}>]>

Additionally, the error message can't be translated using official translation keys. Other errors can be translated successfuly.

pl:
  authlogic:
    error_messages:
      ...
      email_invalid: xxx should look like an email address.
      ...

Actual Behavior

The actual error message should be of type general_credentials_error because the email is valid. It simply doesn't exist in the database, but that information should not be exposed.

[mrpudn]

I experienced essentially this same issue.

When the email is valid and exists in the database, and the password is incorrect, I would receive an error that the password is invalid. When the email is valid but does not exist in the database, I would receive an error that the email is invalid.

I am surprised that this is the default behavior. This is a security flaw that can be exploited to reveal the presence of email addresses in your application's database. This should really not be the default.

I had to do some digging in the code to find where this can be changed. The solution was to add the following to my UserSession class:

class UserSession < Authlogic::Session::Base
  generalize_credentials_error_messages true
end

When generalize_credentials_error_messages is set to true, a generic error message will be added by add_invalid_password_error when a login fails regardless of whether the email address was present in the database, ex. "Email/Password combination is not valid". I have tested this change, and I am now seeing a generic error message, as desired.

Per the comments in the code, you can also add a custom message like so:

class UserSession < AuthLogic::Session::Base
  generalize_credentials_error_messages "Your login information is invalid"
end

For il8n, it looks like this would be the way to change the message, but I have not tested this:

en:
  authlogic:
    error_messages:
      # ...
      general_credentials_error: Email/Password combination is not valid
      # ...

It looks like the code will perform the translation accordingly, though:

authlogic/lib/authlogic/session/base.rb

Line 1596 in ef95d13

I18n.t("error_messages.general_credentials_error", default: error_message)