kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge SEC-02: normalize lockout response

Browse Source 
# Conflicts:
#	internal/grpcserver/grpcserver_test.go
#	internal/server/server_test.go
This commit is contained in:
Kyle Isom
2026-03-13 01:05:56 -07:00
parent fa45836612 4d3d438253
commit 6191c5e00a
6 changed files with 228 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/server/server.go
View File

@@ -248,7 +248,9 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
if locked {
_, _ = auth.VerifyPassword("dummy", auth.DummyHash())
s.writeAudit(r, model.EventLoginFail, &acct.ID, nil, `{"reason":"account_locked"}`)
middleware.WriteError(w, http.StatusTooManyRequests, "account temporarily locked", "account_locked")
// Security: return the same 401 "invalid credentials" as wrong-password
// to prevent user-enumeration via lockout differentiation (SEC-02).
middleware.WriteError(w, http.StatusUnauthorized, "invalid credentials", "unauthorized")
return
}
@@ -1034,7 +1036,9 @@ func (s *Server) handleChangePassword(w http.ResponseWriter, r *http.Request) {
}
if locked {
s.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"result":"locked"}`)
middleware.WriteError(w, http.StatusTooManyRequests, "account temporarily locked", "account_locked")
// Security: return the same 401 as wrong-password to prevent
// user-enumeration via lockout differentiation (SEC-02).
middleware.WriteError(w, http.StatusUnauthorized, "invalid credentials", "unauthorized")
return
}