You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/03/24 08:13:05 UTC

[GitHub] [apisix] liangliang4ward opened a new pull request #6707: fix: hidding real message when password or username is error

liangliang4ward opened a new pull request #6707:
URL: https://github.com/apache/apisix/pull/6707


   ### Description
   about auth-plugin when have password and username hidding real message when password or username is not match
   
   <!-- Please include a summary of the change and which issue is fixed. -->
   <!-- Please also include relevant motivation and context. -->
   
   Fixes # [(issue)](https://github.com/apache/apisix/issues/6703)
   
   ### Checklist
   
   - [ ] I have explained the need for this PR and the problem it solves
   - [ ] I have explained the changes or the new features added to this PR
   - [ ] I have added tests corresponding to this change
   - [ ] I have updated the documentation to reflect this change
   - [ ] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first)
   
   <!--
   
   Note
   
   1. Mark the PR as draft until it's ready to be reviewed.
   2. Always add/update tests for any changes unless you have a good reason.
   3. Always update the documentation to reflect the changes made in the PR.
   4. Make a new commit to resolve conversations instead of `push -f`.
   5. To resolve merge conflicts, merge master instead of rebasing.
   6. Use "request review" to notify the reviewer after making changes.
   7. Only a reviewer can mark a conversation as resolved.
   
   -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] liangliang4ward commented on a change in pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

liangliang4ward commented on a change in pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#discussion_r835761390



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -167,14 +167,14 @@ function _M.rewrite(conf, ctx)
     -- 3. check user exists
     local cur_consumer = consumers[username]
     if not cur_consumer then
-        return 401, { message = "Invalid user key in authorization" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       done. unify "Invalid user authorization"




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis commented on pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

membphis commented on pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#issuecomment-1079815823


   many thx @liangliang4ward 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis merged pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

membphis merged pull request #6707:
URL: https://github.com/apache/apisix/pull/6707


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] liangliang4ward commented on a change in pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

liangliang4ward commented on a change in pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#discussion_r835761511



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -167,14 +167,14 @@ function _M.rewrite(conf, ctx)
     -- 3. check user exists
     local cur_consumer = consumers[username]
     if not cur_consumer then
-        return 401, { message = "Invalid user key in authorization" }
+        return 401, { message = "Invalid password or username" }
     end
     core.log.info("consumer: ", core.json.delay_encode(cur_consumer))
 
 
     -- 4. check the password is correct
     if cur_consumer.auth_conf.password ~= password then
-        return 401, { message = "Password is error" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       done




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] liangliang4ward commented on pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

liangliang4ward commented on pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#issuecomment-1079672090


   > Hi @liangliang4ward, you need to use:
   > 
   > ```
   > Fixes #6703 
   > ```
   > 
   > but not
   > 
   > ```
   > Fixes # [(issue)](https://github.com/apache/apisix/issues/6703)
   > ```
   > 
   > in the link
   
   ok


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

spacewander commented on pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#issuecomment-1078552924


   Hi @liangliang4ward, you need to use:
   ```
   Fixes #6703 
   ```
   but not
   ```
   Fixes # [(issue)](https://github.com/apache/apisix/issues/6703)
   ```
   in the link


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] moonming commented on a change in pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

moonming commented on a change in pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#discussion_r834837475



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -167,14 +167,14 @@ function _M.rewrite(conf, ctx)
     -- 3. check user exists
     local cur_consumer = consumers[username]
     if not cur_consumer then
-        return 401, { message = "Invalid user key in authorization" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       ```suggestion
           return 401, { message = "Invalid authentication credentials" }
   ```

##########
File path: apisix/plugins/ldap-auth.lua
##########
@@ -140,7 +140,7 @@ function _M.rewrite(conf, ctx)
     local userdn =  uid .. "=" .. user.username .. "," .. conf.base_dn
     local ld = lualdap.open_simple (conf.ldap_uri, userdn, user.password, conf.use_tls)
     if not ld then
-        return 401, { message = "Invalid user authorization" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       I don't think we need to change this

##########
File path: apisix/plugins/ldap-auth.lua
##########
@@ -152,7 +152,7 @@ function _M.rewrite(conf, ctx)
         create_consumer_cache, consumer_conf)
     local consumer = consumers[userdn]
     if not consumer then
-        return 401, {message = "Invalid API key in request"}
+        return 401, {message = "Invalid password or username"}

Review comment:
       And you should update https://github.com/apache/apisix/pull/6707/files#diff-8e5b15fc718c151b0f2b2fbf464e510f31c3e0bf31a350aa2f5ca01349f4a2f6R149 too

##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -167,14 +167,14 @@ function _M.rewrite(conf, ctx)
     -- 3. check user exists
     local cur_consumer = consumers[username]
     if not cur_consumer then
-        return 401, { message = "Invalid user key in authorization" }
+        return 401, { message = "Invalid password or username" }
     end
     core.log.info("consumer: ", core.json.delay_encode(cur_consumer))
 
 
     -- 4. check the password is correct
     if cur_consumer.auth_conf.password ~= password then
-        return 401, { message = "Password is error" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       ditto

##########
File path: apisix/plugins/ldap-auth.lua
##########
@@ -152,7 +152,7 @@ function _M.rewrite(conf, ctx)
         create_consumer_cache, consumer_conf)
     local consumer = consumers[userdn]
     if not consumer then
-        return 401, {message = "Invalid API key in request"}
+        return 401, {message = "Invalid password or username"}

Review comment:
       ```suggestion
           return 401, {message = "Invalid user authorization"}
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] liangliang4ward commented on a change in pull request #6707: fix: hidding real message when password or username is error

Posted by GitBox <gi...@apache.org>.

liangliang4ward commented on a change in pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#discussion_r835761496



##########
File path: apisix/plugins/ldap-auth.lua
##########
@@ -152,7 +152,7 @@ function _M.rewrite(conf, ctx)
         create_consumer_cache, consumer_conf)
     local consumer = consumers[userdn]
     if not consumer then
-        return 401, {message = "Invalid API key in request"}
+        return 401, {message = "Invalid password or username"}

Review comment:
       done. unify to " Invalid user authorization"




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org