Security Issue: User Account Enumeration via Error Message Differentiation

Description

The login and password reset endpoints return different error messages depending on whether the email address exists in the database. This allows attackers to enumerate valid user accounts by observing response differences.

Steps to Reproduce

1. Submit a login request with a non-existent email address - observe the specific error message
2. Submit a login request with an existing email and wrong password - observe a different error message
3. By comparing responses, an attacker can determine which emails are registered

Root Cause

The error handling logic likely returns messages like "User not found" vs "Incorrect password" rather than a generic message.

Impact

• Enables targeted phishing attacks against confirmed RIVETO users
• Feeds credential stuffing by confirming which emails have accounts
• Privacy breach (exposes who uses the platform)

Proposed Fix

Return identical error messages and HTTP status codes for both cases:

// Instead of:
if (!user) return res.status(404).json({ error: 'User not found' });
if (!passwordMatch) return res.status(401).json({ error: 'Incorrect password' });

// Use:
if (!user || !passwordMatch) {
  return res.status(401).json({ error: 'Invalid email or password' });
}

Add a constant-time comparison delay to prevent timing-based enumeration as well.

I would like to implement this fix if assigned.