Fix username enumeration vulnerability

When creating a user account using an email that has already been taken, or when logging in with an email that does not exist in the database, the error messages should be generic and should not indicate that the email already exists, or that the email does not exist (in the case of logins)
meedan · Jan 20, 2025 · 4a618df · 4a618df
1 parent ebd7960
commit 4a618df
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/test/controllers/registrations_controller_test.rb b/test/controllers/registrations_controller_test.rb
@@ -143,4 +143,25 @@ def teardown
     end
     assert_response 401
   end
+
+  test "should return generic response when registering using an existing email" do
+    existing_user = create_user(email: '[email protected]')
+    p1 = random_complex_password
+
+    assert_no_difference 'User.count' do
+      post :create, params: { api_user: { password: p1, password_confirmation: p1, email: existing_user.email, login: 'test', name: 'Test' } }
+      assert_response 401
+      assert_equal 'Please check your email', response.parsed_body['message']
+    end
+  end
+
+  test "should return generic response when logging in with non-existing email" do
+    p1 = random_complex_password
+
+    assert_no_difference 'User.count' do
+      post :create, params: { api_user: { password: p1, password_confirmation: p1, email: '[email protected]', login: 'test', name: 'Test' } }
+      assert_response 401
+      assert_equal 'Please check your email', response.parsed_body['message']
+    end
+  end
 end