kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix SEC-02: normalize lockout response

Browse Source 
- REST login: change locked account response from HTTP 429
  "account_locked" to HTTP 401 "invalid credentials"
- gRPC login: change from ResourceExhausted to Unauthenticated
  with "invalid credentials" message
- UI login: change from "account temporarily locked" to
  "invalid credentials"
- REST password-change endpoint: same normalization
- Audit logs still record "account_locked" internally
- Added tests in all three layers verifying locked-account
  responses are indistinguishable from wrong-password responses

Security: lockout responses now return identical status codes and
messages as wrong-password failures across REST, gRPC, and UI,
preventing user-enumeration via lockout differentiation. Internal
audit logging of lockout events is preserved for operational use.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-13 00:43:57 -07:00
parent 586d4e3355
commit 4d3d438253
6 changed files with 228 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/server/server.go
View File

@@ -238,7 +238,9 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
if locked {
_, _ = auth.VerifyPassword("dummy", auth.DummyHash())
s.writeAudit(r, model.EventLoginFail, &acct.ID, nil, `{"reason":"account_locked"}`)
middleware.WriteError(w, http.StatusTooManyRequests, "account temporarily locked", "account_locked")
// Security: return the same 401 "invalid credentials" as wrong-password
// to prevent user-enumeration via lockout differentiation (SEC-02).
middleware.WriteError(w, http.StatusUnauthorized, "invalid credentials", "unauthorized")
return
}
@@ -1026,7 +1028,9 @@ func (s *Server) handleChangePassword(w http.ResponseWriter, r *http.Request) {
}
if locked {
s.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"result":"locked"}`)
middleware.WriteError(w, http.StatusTooManyRequests, "account temporarily locked", "account_locked")
// Security: return the same 401 as wrong-password to prevent
// user-enumeration via lockout differentiation (SEC-02).
middleware.WriteError(w, http.StatusUnauthorized, "invalid credentials", "unauthorized")
return
}