probing user names is still possible with "register", so doesn't matter

2019-05-07 17:37:11 +02:00 · 2019-05-07 17:37:11 +02:00 · 640cfe3b03
commit 640cfe3b03
parent 98a774a54d
1 changed files with 2 additions and 4 deletions
--- a/backend/db.coffee
+++ b/backend/db.coffee
@ -82,8 +82,7 @@ class FFTCGDB
            stmt.finalize()
            if err
              logger.warn "reg: FAIL db '#{err.code}' for '#{login}'"
-              # reduce attack surface, don't disclose user names
-              reject 'db' # user already exists
+              reject 'existence' # user already exists

            else
              logger.info "reg: OK '#{login}'"
@ -106,8 +105,7 @@ class FFTCGDB
          # hash the password for timing attack reasons
          bcrypt.hash password, saltRounds, (err, hash) ->
            logger.debug "login: FAIL nonexistent '#{login}'"
-            # reduce attack surface, don't disclose user names
-            reject 'login' # user doesnt exist
+            reject 'existence' # user doesnt exist

        else
          bcrypt.compare password, row.pwdhash, (err, res) ->