Merge pull request #148 from ubccr/fix-92

Add support for hiding invalid username error.
ubccr · Oct 24, 2024 · e8f1e50 · e8f1e50
2 parents a30308f + 44cd95e
commit e8f1e50
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/mokey.toml.sample b/mokey.toml.sample
@@ -95,6 +95,12 @@ require_mfa = false
 # accounts are disabled by default until a FreeIPA admin activates them.
 require_admin_verify = false
 
+# By default, login attempts for non-existent user accounts will be shown an
+# error message indicating that the username is not found in the system. If
+# your site is concerned about the potential for username enumeration attacks,
+# you could hide this error message by setting this to true.
+hide_invalid_username_error = false
+
 #------------------------------------------------------------------------------
 # Email
 #------------------------------------------------------------------------------

diff --git a/server/auth.go b/server/auth.go
@@ -182,16 +182,21 @@ func (r *Router) CheckUser(c *fiber.Ctx) error {
 				"error":    ierr,
 				"username": username,
 			}).Warn("Username not found in FreeIPA")
+
+			if !viper.GetBool("accounts.hide_invalid_username_error") {
+				r.metrics.totalFailedLogins.Inc()
+				return c.Status(fiber.StatusUnauthorized).SendString("Invalid username")
+			}
+			userRec = new(ipa.User)
+			userRec.Username = username
+		} else {
+			log.WithFields(log.Fields{
+				"error":    err,
+				"username": username,
+			}).Error("Failed to fetch user info from FreeIPA")
 			r.metrics.totalFailedLogins.Inc()
-			return c.Status(fiber.StatusUnauthorized).SendString("Invalid username")
+			return c.Status(fiber.StatusInternalServerError).SendString("Fatal system error")
 		}
-
-		log.WithFields(log.Fields{
-			"error":    err,
-			"username": username,
-		}).Error("Failed to fetch user info from FreeIPA")
-		r.metrics.totalFailedLogins.Inc()
-		return c.Status(fiber.StatusInternalServerError).SendString("Fatal system error")
 	}
 
 	if userRec.Locked {

diff --git a/server/server.go b/server/server.go
@@ -40,6 +40,7 @@ type Server struct {
 func SetDefaults() {
 	viper.SetDefault("site.name", "Acme Widgets")
 	viper.SetDefault("site.ktuser", "mokeyapp")
+	viper.SetDefault("accounts.hide_invalid_username_error", false)
 	viper.SetDefault("accounts.default_homedir", "/home")
 	viper.SetDefault("accounts.default_shell", "/bin/bash")
 	viper.SetDefault("accounts.min_passwd_len", 8)