Skip to content

fix: use generic error messages in login handler (#845)#1177

Closed
Shrutii-Rai wants to merge 3 commits into
aryandas2911:mainfrom
Shrutii-Rai:fix/auth-bug-845-v2
Closed

fix: use generic error messages in login handler (#845)#1177
Shrutii-Rai wants to merge 3 commits into
aryandas2911:mainfrom
Shrutii-Rai:fix/auth-bug-845-v2

Conversation

@Shrutii-Rai
Copy link
Copy Markdown

@Shrutii-Rai Shrutii-Rai commented May 26, 2026

**Fixes #845

📝 Description

Replaced specific authentication error messages with generic messages to prevent user enumeration attacks.**

## 🔗 Related Issue
Closes #845

## 🛠️ Changes Made

  • Replaced "User does not exist" with "Invalid email or password"
  • Replaced "Password does not match" with "Invalid email or password"
  • Prevents attackers from knowing whether email is registered or password is wrong

✅ Checklist

  • Followed project structure
  • Linked the issue
  • No console errors
  • Only authController.js modified (clean fix)

🚀 Notes for Reviewers

This is a resubmission of PR #866 which was closed due to accidental code deletion during conflict resolution. This PR contains only the intended 2-line message changes.

@Shrutii-Rai
Copy link
Copy Markdown
Author

Shrutii-Rai commented May 26, 2026

Hi @aryandas2911

I'm submitting this as a clean resubmission of PR #866 (which was
closed due to accidental code deletion during conflict resolution —
I apologize for that mistake!).

## What was the bug? 🐛
The login handler was returning specific error messages:

  • "User does not exist" → revealed whether an email is registered
  • "Password does not match" → revealed the email was valid but password was wrong

This is a User Enumeration Attack vulnerability — attackers can
use specific messages to figure out which emails are registered in
the system, and then target those accounts.

## What did I fix?
Replaced both specific messages with a single generic message:

  • ✅ "Invalid email or password"

This prevents attackers from knowing whether the email exists or
the password was wrong — both cases return the same message.

## Why is this important?
This is a standard security best practice followed by major platforms
like Google, GitHub, and others. It significantly reduces the risk of
targeted attacks on user accounts.

## Changes Made 📝

  • Only backend/controllers/authController.js was modified
  • 2 error messages changed in the login handler
  • No other files touched — clean minimal fix ✅

Kindly review and merge this PR when you get a chance.
Happy to make any changes if needed! 🙏

Thank you!

@Shrutii-Rai
Copy link
Copy Markdown
Author

Shrutii-Rai commented May 28, 2026

Hi @aryandas2911
Could you please review and merge PR #1177 when you get a chance?
I have also been assigned issue #1181 and would like to start working on it.
Thank you!

@Shrutii-Rai Shrutii-Rai mentioned this pull request May 28, 2026
Open
@aryandas2911
Copy link
Copy Markdown
Owner

aryandas2911 commented May 28, 2026

@Shrutii-Rai there are no changed files in this PR

1 similar comment
@aryandas2911
Copy link
Copy Markdown
Owner

aryandas2911 commented May 28, 2026

@Shrutii-Rai there are no changed files in this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Authentication Bug: Login Fails and Signup Returns Invalid Token Error

2 participants

@Shrutii-Rai @aryandas2911