fix: standardize authentication error messages to prevent user enumeration (#24324)

Signed-off-by: -LAN- <laipz8200@outlook.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2025-08-26 09:46:23 +08:00
parent c14b498676
commit cfb8d224da
5 changed files with 157 additions and 11 deletions
--- a/api/controllers/console/auth/error.py
+++ b/api/controllers/console/auth/error.py
@@ -55,6 +55,12 @@ class EmailOrPasswordMismatchError(BaseHTTPException):
    code = 400


+class AuthenticationFailedError(BaseHTTPException):
+    error_code = "authentication_failed"
+    description = "Invalid email or password."
+    code = 401
+
+
 class EmailPasswordLoginLimitError(BaseHTTPException):
    error_code = "email_code_login_limit"
    description = "Too many incorrect password attempts. Please try again later."
--- a/api/controllers/console/auth/login.py
+++ b/api/controllers/console/auth/login.py
@@ -9,8 +9,8 @@ from configs import dify_config
 from constants.languages import languages
 from controllers.console import api
 from controllers.console.auth.error import (
+    AuthenticationFailedError,
    EmailCodeError,
-    EmailOrPasswordMismatchError,
    EmailPasswordLoginLimitError,
    InvalidEmailError,
    InvalidTokenError,
@@ -79,7 +79,7 @@ class LoginApi(Resource):
            raise AccountBannedError()
        except services.errors.account.AccountPasswordError:
            AccountService.add_login_error_rate_limit(args["email"])
-            raise EmailOrPasswordMismatchError()
+            raise AuthenticationFailedError()
        except services.errors.account.AccountNotFoundError:
            if FeatureService.get_system_features().is_allow_register:
                token = AccountService.send_reset_password_email(email=args["email"], language=language)
@@ -132,6 +132,7 @@ class ResetPasswordSendEmailApi(Resource):
            account = AccountService.get_user_through_email(args["email"])
        except AccountRegisterError as are:
            raise AccountInFreezeError()
+
        if account is None:
            if FeatureService.get_system_features().is_allow_register:
                token = AccountService.send_reset_password_email(email=args["email"], language=language)
--- a/api/controllers/web/forgot_password.py
+++ b/api/controllers/web/forgot_password.py
@@ -7,13 +7,14 @@ from sqlalchemy import select
 from sqlalchemy.orm import Session

 from controllers.console.auth.error import (
+    AuthenticationFailedError,
    EmailCodeError,
    EmailPasswordResetLimitError,
    InvalidEmailError,
    InvalidTokenError,
    PasswordMismatchError,
 )
-from controllers.console.error import AccountNotFound, EmailSendIpLimitError
+from controllers.console.error import EmailSendIpLimitError
 from controllers.console.wraps import email_password_login_enabled, only_edition_enterprise, setup_required
 from controllers.web import api
 from extensions.ext_database import db
@@ -46,7 +47,7 @@ class ForgotPasswordSendEmailApi(Resource):
            account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()
        token = None
        if account is None:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()
        else:
            token = AccountService.send_reset_password_email(account=account, email=args["email"], language=language)

@@ -131,7 +132,7 @@ class ForgotPasswordResetApi(Resource):
            if account:
                self._update_existing_account(account, password_hashed, salt, session)
            else:
-                raise AccountNotFound()
+                raise AuthenticationFailedError()

        return {"result": "success"}

--- a/api/controllers/web/login.py
+++ b/api/controllers/web/login.py
@@ -2,8 +2,12 @@ from flask_restx import Resource, reqparse
 from jwt import InvalidTokenError  # type: ignore

 import services
-from controllers.console.auth.error import EmailCodeError, EmailOrPasswordMismatchError, InvalidEmailError
-from controllers.console.error import AccountBannedError, AccountNotFound
+from controllers.console.auth.error import (
+    AuthenticationFailedError,
+    EmailCodeError,
+    InvalidEmailError,
+)
+from controllers.console.error import AccountBannedError
 from controllers.console.wraps import only_edition_enterprise, setup_required
 from controllers.web import api
 from libs.helper import email
@@ -29,9 +33,9 @@ class LoginApi(Resource):
        except services.errors.account.AccountLoginError:
            raise AccountBannedError()
        except services.errors.account.AccountPasswordError:
-            raise EmailOrPasswordMismatchError()
+            raise AuthenticationFailedError()
        except services.errors.account.AccountNotFoundError:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()

        token = WebAppAuthService.login(account=account)
        return {"result": "success", "data": {"access_token": token}}
@@ -63,7 +67,7 @@ class EmailCodeLoginSendEmailApi(Resource):

        account = WebAppAuthService.get_user_through_email(args["email"])
        if account is None:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()
        else:
            token = WebAppAuthService.send_email_code_login_email(account=account, language=language)

@@ -95,7 +99,7 @@ class EmailCodeLoginApi(Resource):
        WebAppAuthService.revoke_email_code_login_token(args["token"])
        account = WebAppAuthService.get_user_through_email(user_email)
        if not account:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()

        token = WebAppAuthService.login(account=account)
        AccountService.reset_login_error_rate_limit(args["email"])