From 640cfe3b034bdfa5e9c856b9841e51d6148b886b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn-Michael=20Miehe?= <jmm@yavook.de>
Date: Tue, 7 May 2019 17:37:11 +0200
Subject: [PATCH] probing user names is still possible with "register", so
 doesn't matter

---
 backend/db.coffee | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/backend/db.coffee b/backend/db.coffee
index 795f1fe..66b7131 100644
--- a/backend/db.coffee
+++ b/backend/db.coffee
@@ -82,8 +82,7 @@ class FFTCGDB
             stmt.finalize()
             if err
               logger.warn "reg: FAIL db '#{err.code}' for '#{login}'"
-              # reduce attack surface, don't disclose user names
-              reject 'db' # user already exists
+              reject 'existence' # user already exists
 
             else
               logger.info "reg: OK '#{login}'"
@@ -106,8 +105,7 @@ class FFTCGDB
           # hash the password for timing attack reasons
           bcrypt.hash password, saltRounds, (err, hash) ->
             logger.debug "login: FAIL nonexistent '#{login}'"
-            # reduce attack surface, don't disclose user names
-            reject 'login' # user doesnt exist
+            reject 'existence' # user doesnt exist
 
         else
           bcrypt.compare password, row.pwdhash, (err, res) ->