mirror of
https://git.joinplu.me/Plume/Plume.git
synced 2024-11-14 07:51:01 +00:00
Make it impossible to know if an username is used or not with the API
This commit is contained in:
parent
0dbf9f519e
commit
647a5af070
1 changed files with 6 additions and 2 deletions
|
@ -35,12 +35,16 @@ fn oauth(query: OAuthRequest, conn: DbConn) -> Json<serde_json::Value> {
|
|||
}))
|
||||
} else {
|
||||
Json(json!({
|
||||
"error": "Wrong password"
|
||||
"error": "Invalid credentials"
|
||||
}))
|
||||
}
|
||||
} else {
|
||||
// Making fake password verification to avoid different
|
||||
// response times that would make it possible to know
|
||||
// if a username is registered or not.
|
||||
User::get(&*conn, 1).unwrap().auth(query.password);
|
||||
Json(json!({
|
||||
"error": "Unknown user"
|
||||
"error": "Invalid credentials"
|
||||
}))
|
||||
}
|
||||
} else {
|
||||
|
|
Loading…
Reference in a new issue