Fake password verification when trying to login with inexistant account
Fix #170
This commit is contained in:
parent
78b3202a32
commit
3373bb66cd
@ -57,6 +57,10 @@ fn create(conn: DbConn, data: LenientForm<LoginForm>, flash: Option<FlashMessage
|
||||
Err(e) => e
|
||||
};
|
||||
if let Err(_) = user.clone() {
|
||||
// Fake password verification, only to avoid different login times
|
||||
// that could be used to see if an email adress is registered or not
|
||||
User::get(&*conn, 1).map(|u| u.auth(form.password.clone()));
|
||||
|
||||
let mut err = ValidationError::new("invalid_login");
|
||||
err.message = Some(Cow::from("Invalid username or password"));
|
||||
errors.add("email_or_name", err)
|
||||
|
Loading…
Reference in New Issue
Block a user