Fake password verification when trying to login with inexistant account

Fix #170
This commit is contained in:
Bat 2018-09-03 18:04:21 +01:00
parent 78b3202a32
commit 3373bb66cd

View File

@ -57,6 +57,10 @@ fn create(conn: DbConn, data: LenientForm<LoginForm>, flash: Option<FlashMessage
Err(e) => e Err(e) => e
}; };
if let Err(_) = user.clone() { if let Err(_) = user.clone() {
// Fake password verification, only to avoid different login times
// that could be used to see if an email adress is registered or not
User::get(&*conn, 1).map(|u| u.auth(form.password.clone()));
let mut err = ValidationError::new("invalid_login"); let mut err = ValidationError::new("invalid_login");
err.message = Some(Cow::from("Invalid username or password")); err.message = Some(Cow::from("Invalid username or password"));
errors.add("email_or_name", err) errors.add("email_or_name", err)