fix: standardize authentication error messages to prevent user enumeration (#24324)

Signed-off-by: -LAN- <laipz8200@outlook.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2025-08-26 09:46:23 +08:00
parent c14b498676
commit cfb8d224da
5 changed files with 157 additions and 11 deletions
--- a/api/controllers/web/forgot_password.py
+++ b/api/controllers/web/forgot_password.py
@@ -7,13 +7,14 @@ from sqlalchemy import select
 from sqlalchemy.orm import Session

 from controllers.console.auth.error import (
+    AuthenticationFailedError,
    EmailCodeError,
    EmailPasswordResetLimitError,
    InvalidEmailError,
    InvalidTokenError,
    PasswordMismatchError,
 )
-from controllers.console.error import AccountNotFound, EmailSendIpLimitError
+from controllers.console.error import EmailSendIpLimitError
 from controllers.console.wraps import email_password_login_enabled, only_edition_enterprise, setup_required
 from controllers.web import api
 from extensions.ext_database import db
@@ -46,7 +47,7 @@ class ForgotPasswordSendEmailApi(Resource):
            account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()
        token = None
        if account is None:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()
        else:
            token = AccountService.send_reset_password_email(account=account, email=args["email"], language=language)

@@ -131,7 +132,7 @@ class ForgotPasswordResetApi(Resource):
            if account:
                self._update_existing_account(account, password_hashed, salt, session)
            else:
-                raise AccountNotFound()
+                raise AuthenticationFailedError()

        return {"result": "success"}

--- a/api/controllers/web/login.py
+++ b/api/controllers/web/login.py
@@ -2,8 +2,12 @@ from flask_restx import Resource, reqparse
 from jwt import InvalidTokenError  # type: ignore

 import services
-from controllers.console.auth.error import EmailCodeError, EmailOrPasswordMismatchError, InvalidEmailError
-from controllers.console.error import AccountBannedError, AccountNotFound
+from controllers.console.auth.error import (
+    AuthenticationFailedError,
+    EmailCodeError,
+    InvalidEmailError,
+)
+from controllers.console.error import AccountBannedError
 from controllers.console.wraps import only_edition_enterprise, setup_required
 from controllers.web import api
 from libs.helper import email
@@ -29,9 +33,9 @@ class LoginApi(Resource):
        except services.errors.account.AccountLoginError:
            raise AccountBannedError()
        except services.errors.account.AccountPasswordError:
-            raise EmailOrPasswordMismatchError()
+            raise AuthenticationFailedError()
        except services.errors.account.AccountNotFoundError:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()

        token = WebAppAuthService.login(account=account)
        return {"result": "success", "data": {"access_token": token}}
@@ -63,7 +67,7 @@ class EmailCodeLoginSendEmailApi(Resource):

        account = WebAppAuthService.get_user_through_email(args["email"])
        if account is None:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()
        else:
            token = WebAppAuthService.send_email_code_login_email(account=account, language=language)

@@ -95,7 +99,7 @@ class EmailCodeLoginApi(Resource):
        WebAppAuthService.revoke_email_code_login_token(args["token"])
        account = WebAppAuthService.get_user_through_email(user_email)
        if not account:
-            raise AccountNotFound()
+            raise AuthenticationFailedError()

        token = WebAppAuthService.login(account=account)
        AccountService.reset_login_error_rate_limit(args["email"])