Prevent leaking email addresses when user is not confirmed

stevepolitodesign · stevepolitodesign · commit 6a8f23e568a1 · 2022-01-07T06:07:14.000-05:00
A bad actor could exploit this vulnerability to see if a user exists in the system. Issues ------ - Closes #51
diff --git a/README.md b/README.md
@@ -519,7 +519,7 @@ class SessionsController < ApplicationController
     @user = User.find_by(email: params[:user][:email].downcase)
     if @user
       if @user.unconfirmed?
-        redirect_to new_confirmation_path, alert: "You must confirm your email before you can sign in."
+        redirect_to new_confirmation_path, alert: "Incorrect email or password."
       elsif @user.authenticate(params[:user][:password])
         login @user
         redirect_to root_path, notice: "Signed in."
@@ -578,6 +578,7 @@ end
 > - The `create` method simply checks if the user exists and is confirmed. If they are, then we check their password. If the password is correct, we log them in via the `login` method we created in the `Authentication` Concern. Otherwise, we render an alert.
 >   - We're able to call `user.authenticate` because of [has_secure_password](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password)
 >   - Note that we call `downcase` on the email to account for case sensitivity when searching.
+>   - Note that we set the flash to "Incorrect email or password." if the user is unconfirmed. This prevents leaking email addresses.
 > - The `destroy` method simply calls the `logout` method we created in the `Authentication` Concern.
 > - The login form is passed a `scope: :user` option so that the params are namespaced as `params[:user][:some_value]`. This is not required, but it helps keep things organized.
 
@@ -1324,7 +1325,7 @@ class SessionsController < ApplicationController
     @user = User.authenticate_by(email: params[:user][:email].downcase, password: params[:user][:password])
     if @user
       if @user.unconfirmed?
-        redirect_to new_confirmation_path, alert: "You must confirm your email before you can sign in."
+        redirect_to new_confirmation_path, alert: "Incorrect email or password."
       else
         after_login_path = session[:user_return_to] || root_path
         login @user
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -6,7 +6,7 @@ def create
     @user = User.authenticate_by(email: params[:user][:email].downcase, password: params[:user][:password])
     if @user
       if @user.unconfirmed?
-        redirect_to new_confirmation_path, alert: "You must confirm your email before you can sign in."
+        redirect_to new_confirmation_path, alert: "Incorrect email or password."
       else
         after_login_path = session[:user_return_to] || root_path
         login @user
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -66,7 +66,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
         password: @unconfirmed_user.password
       }
     }
-    assert_not_nil flash[:alert]
+    assert_equal "Incorrect email or password.", flash[:alert]
     assert_nil current_user
     assert_redirected_to new_confirmation_path
   end

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest`
`66`	`66`	`password: @unconfirmed_user.password`
`67`	`67`	`}`
`68`	`68`	`}`
`69`		`- assert_not_nil flash[:alert]`
	`69`	`+ assert_equal "Incorrect email or password.", flash[:alert]`
`70`	`70`	`assert_nil current_user`
`71`	`71`	`assert_redirected_to new_confirmation_path`
`72`	`72`	`end`