Use the same error message for different kind of authentiction errors (…

…librenms#13306) This prevents usernames to be guess as the application confirms or denies their existence.
digitalwm · Oct 1, 2021 · 0680dc8 · 0680dc8
1 parent 65b385f
commit 0680dc8
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/LibreNMS/Authentication/MysqlAuthorizer.php b/LibreNMS/Authentication/MysqlAuthorizer.php
@@ -23,7 +23,7 @@ public function authenticate($credentials)
         $enabled = $user_data->enabled;
 
         if (! $enabled) {
-            throw new AuthenticationException($message = 'login denied');
+            throw new AuthenticationException();
         }
 
         if (Hash::check($password, $hash)) {

diff --git a/app/Providers/LegacyUserProvider.php b/app/Providers/LegacyUserProvider.php
@@ -128,7 +128,7 @@ public function validateCredentials(Authenticatable $user, array $credentials)
             }
 
             if (empty($credentials['username']) || ! $authorizer->authenticate($credentials)) {
-                throw new AuthenticationException('Invalid Credentials');
+                throw new AuthenticationException();
             }
 
             return true;