You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/03/24 23:46:59 UTC

[GitHub] [apisix] moonming commented on a change in pull request #6707: fix: hidding real message when password or username is error

moonming commented on a change in pull request #6707:
URL: https://github.com/apache/apisix/pull/6707#discussion_r834837475



##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -167,14 +167,14 @@ function _M.rewrite(conf, ctx)
     -- 3. check user exists
     local cur_consumer = consumers[username]
     if not cur_consumer then
-        return 401, { message = "Invalid user key in authorization" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       ```suggestion
           return 401, { message = "Invalid authentication credentials" }
   ```

##########
File path: apisix/plugins/ldap-auth.lua
##########
@@ -140,7 +140,7 @@ function _M.rewrite(conf, ctx)
     local userdn =  uid .. "=" .. user.username .. "," .. conf.base_dn
     local ld = lualdap.open_simple (conf.ldap_uri, userdn, user.password, conf.use_tls)
     if not ld then
-        return 401, { message = "Invalid user authorization" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       I don't think we need to change this

##########
File path: apisix/plugins/ldap-auth.lua
##########
@@ -152,7 +152,7 @@ function _M.rewrite(conf, ctx)
         create_consumer_cache, consumer_conf)
     local consumer = consumers[userdn]
     if not consumer then
-        return 401, {message = "Invalid API key in request"}
+        return 401, {message = "Invalid password or username"}

Review comment:
       And you should update https://github.com/apache/apisix/pull/6707/files#diff-8e5b15fc718c151b0f2b2fbf464e510f31c3e0bf31a350aa2f5ca01349f4a2f6R149 too

##########
File path: apisix/plugins/basic-auth.lua
##########
@@ -167,14 +167,14 @@ function _M.rewrite(conf, ctx)
     -- 3. check user exists
     local cur_consumer = consumers[username]
     if not cur_consumer then
-        return 401, { message = "Invalid user key in authorization" }
+        return 401, { message = "Invalid password or username" }
     end
     core.log.info("consumer: ", core.json.delay_encode(cur_consumer))
 
 
     -- 4. check the password is correct
     if cur_consumer.auth_conf.password ~= password then
-        return 401, { message = "Password is error" }
+        return 401, { message = "Invalid password or username" }

Review comment:
       ditto

##########
File path: apisix/plugins/ldap-auth.lua
##########
@@ -152,7 +152,7 @@ function _M.rewrite(conf, ctx)
         create_consumer_cache, consumer_conf)
     local consumer = consumers[userdn]
     if not consumer then
-        return 401, {message = "Invalid API key in request"}
+        return 401, {message = "Invalid password or username"}

Review comment:
       ```suggestion
           return 401, {message = "Invalid user authorization"}
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org