From 640a1eeb68053bafed9a80525d339642de90e0d3 Mon Sep 17 00:00:00 2001
From: tametsi <93092155+tametsi@users.noreply.github.com>
Date: Fri, 22 Nov 2024 10:30:58 +0100
Subject: [PATCH] Return generic auth error to prevent user enumeration attacks

On invalid user/password error the error message "Invalid email or password" is returned.
Thereby, no information about the existence of the user is given.
---
 backend/internal/token.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/backend/internal/token.js b/backend/internal/token.js
index ed9a45f..0e6dec5 100644
--- a/backend/internal/token.js
+++ b/backend/internal/token.js
@@ -5,6 +5,8 @@ const authModel  = require('../models/auth');
 const helpers    = require('../lib/helpers');
 const TokenModel = require('../models/token');
 
+const ERROR_MESSAGE_INVALID_AUTH = 'Invalid email or password';
+
 module.exports = {
 
 	/**
@@ -69,15 +71,15 @@ module.exports = {
 													};
 												});
 										} else {
-											throw new error.AuthError('Invalid password');
+											throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 										}
 									});
 							} else {
-								throw new error.AuthError('No password auth for user');
+								throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 							}
 						});
 				} else {
-					throw new error.AuthError('No relevant user found');
+					throw new error.AuthError(ERROR_MESSAGE_INVALID_AUTH);
 				}
 			});
 	},