From c0c57bd28aa19e3a31cfbdc162167a3fba3005a3 Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Mon, 7 Jun 2021 17:37:28 +0200 Subject: [PATCH 1/3] add fake delay for passwords which don't match security criteria --- login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp b/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp index 59e33e5d0..e82e75dc8 100644 --- a/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp +++ b/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp @@ -77,7 +77,7 @@ Poco::JSON::Object* JsonUnsecureLogin::handle(Poco::Dynamic::Var params) Poco::JSON::Object* result = new Poco::JSON::Object; if (!password.size() || !sm->checkPwdValidation(password, &pwd_errors, LanguageManager::getInstance()->getFreeCatalog(LANG_EN))) { - + Poco::Thread::sleep(ServerConfig::g_FakeLoginSleepTime); result->set("state", "error"); result->set("msg", pwd_errors.getLastError()->getString(false)); if (pwd_errors.errorCount()) { From 81a6b2a0a23e0c6021fba4ff8caa2f7a8cb3af07 Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Mon, 7 Jun 2021 17:39:12 +0200 Subject: [PATCH 2/3] don't give away the info about security criteria of password --- login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp b/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp index e82e75dc8..0457b572e 100644 --- a/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp +++ b/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp @@ -79,10 +79,8 @@ Poco::JSON::Object* JsonUnsecureLogin::handle(Poco::Dynamic::Var params) if (!password.size() || !sm->checkPwdValidation(password, &pwd_errors, LanguageManager::getInstance()->getFreeCatalog(LANG_EN))) { Poco::Thread::sleep(ServerConfig::g_FakeLoginSleepTime); result->set("state", "error"); - result->set("msg", pwd_errors.getLastError()->getString(false)); - if (pwd_errors.errorCount()) { - result->set("details", pwd_errors.getLastError()->getString(false)); - } + result->set("msg", "password incorrect"); + return result; } From c57f366071ef75f34a435f2d259c20eced6a279e Mon Sep 17 00:00:00 2001 From: einhornimmond Date: Tue, 8 Jun 2021 11:26:14 +0200 Subject: [PATCH 3/3] add fakesleep by user check --- .../src/cpp/JSONInterface/JsonUnsecureLogin.cpp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp b/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp index 0457b572e..5d337df41 100644 --- a/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp +++ b/login_server/src/cpp/JSONInterface/JsonUnsecureLogin.cpp @@ -58,20 +58,28 @@ Poco::JSON::Object* JsonUnsecureLogin::handle(Poco::Dynamic::Var params) } auto user = controller::User::create(); + std::string message; + std::string details; if (email.size()) { if (!sm->isValid(email, VALIDATE_EMAIL)) { - return stateError("invalid email"); + message = "invalid email"; } if (1 != user->load(email)) { - return stateError("user with email not found", email); + message = "user with email not found"; + details = email; } } else if (username.size() > 0) { if (1 != user->load(username)) { - return stateError("user with username not found", username); + message = "user with username not found"; + details = username; } email = user->getModel()->getEmail(); } + if (message.size()) { + Poco::Thread::sleep(ServerConfig::g_FakeLoginSleepTime); + return stateError(message.data(), details); + } NotificationList pwd_errors; Poco::JSON::Object* result = new Poco::JSON::Object;