Add login “error” messages

tiyujopite · January 23, 2025, 11:25am

Rational

For now, the only feedback the user gets when the login “does not work” is a loop of the password dialog. IMHO this is not very clear.

Proposal

A new LoginError contemplated by the clients.

For example, the foundation could show some of them, and others could be put in third party modules:

User not found
User and password do not match
Your user is deactivated
Message indicating that there is a similar name, but that they do not match upper and lower case
Message indicating that the number of login attempts has been exhausted

This would allow the possibility of adding custom adaptations for login control.

Motivation:

Implementation

ced · January 23, 2025, 11:30am

I’m strongly against that because it is leaking information to attackers.

tiyujopite · January 23, 2025, 11:38am

I totally agree, the list of errors that I have added has been for exemplification, but I think that the possibility of displaying a message would not be bad.

ced · January 23, 2025, 11:41am

What message do you want to display that is not leaking information?

albert · January 23, 2025, 12:09pm

I would not give that message, but it is something to consider if usernames should be case insensitive. LDAP, for example, is case insensitive by default and most services nowadays behave that way.

Usually usernames are made insensitive to minimize impersonation and also because frequently e-mails are used as logins and those are case insensitive.

If a decision is made to keep usernames sensitive, maybe a standard message telling the user “remember username is case sensitive” would be appropriate as they’ll be used to other systems which behave differently.

tiyujopite · January 23, 2025, 1:39pm

A simple “incorrect user and/or password”, so that the user does not doubt whether the login is working properly ( by infinite loop of the password).

Message indicating that the number of login attempts has been exhausted

This one for example would have to be analyzed if it is safe or not, but I see it useful. Because it is a difficult problem to detect.

ced · January 23, 2025, 2:05pm

This is not the only method possible.

This is already the case as RateLimitException are converted into TOO_MANY_REQUESTS.