Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-30 13:33:24 +01:00
Code Issues Projects Releases Wiki Activity

Updated message to prevent enumeration.

Browse Source
This commit is contained in:
Todd Martin 2024-05-14 14:40:55 -04:00
parent b97a4d38ac
commit bd46adce77
No known key found for this signature in database
GPG Key ID: 663E7AF5C839BC8F
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/Core/Auth/UserFeatures/WebAuthnLogin/Implementations/AssertWebAuthnLoginCredentialCommand.cs
View File

@ -26,13 +26,13 @@ internal class AssertWebAuthnLoginCredentialCommand : IAssertWebAuthnLoginCreden
{
if (!GuidUtilities.TryParseBytes(assertionResponse.Response.UserHandle, out var userId))
{
throw new BadRequestException("Invalid credential.");
ThrowInvalidCredentialException();
}
var user = await _userRepository.GetByIdAsync(userId);
if (user == null)
{
throw new BadRequestException("Invalid credential.");
ThrowInvalidCredentialException();
}
var userCredentials = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
@ -40,7 +40,7 @@ internal class AssertWebAuthnLoginCredentialCommand : IAssertWebAuthnLoginCreden
var credential = userCredentials.FirstOrDefault(c => c.CredentialId == assertedCredentialId);
if (credential == null)
{
throw new BadRequestException("Invalid credential.");
ThrowInvalidCredentialException();
}
// Always return true, since we've already filtered the credentials after user id
@ -55,7 +55,7 @@ internal class AssertWebAuthnLoginCredentialCommand : IAssertWebAuthnLoginCreden
}
catch (Fido2VerificationException)
{
throw new BadRequestException("Unable to verify credential.");
ThrowInvalidCredentialException();
}
// Update SignatureCounter
@ -64,9 +64,14 @@ internal class AssertWebAuthnLoginCredentialCommand : IAssertWebAuthnLoginCreden
if (assertionVerificationResult.Status != "ok")
{
throw new BadRequestException("Invalid credential.");
ThrowInvalidCredentialException();
}
return (user, credential);
}
private void ThrowInvalidCredentialException()
{
throw new BadRequestException("Invalid credential.");
}
}