Merge pull request #1759 from nodeSolidServer/fix/issue#1758

fix security issue

Author: bourgeoa

lib/models/authenticator.js

@@ -140,7 +140,9 @@ class PasswordAuthenticator extends Authenticator {
       })
       .then(foundUser => {
         if (!foundUser) {
-          error = new Error('No user found for that username')
+          // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
+          // https://cwe.mitre.org/data/definitions/200.html
+          error = new Error('Invalid username/password combination.') // no detail for security 'No user found for that username')
           error.statusCode = 400
           throw error
         }
@@ -151,7 +153,9 @@ class PasswordAuthenticator extends Authenticator {
       })
       .then(validUser => {
         if (!validUser) {
-          error = new Error('User found but no password match')
+          // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
+          // https://cwe.mitre.org/data/definitions/200.html
+          error = new Error('Invalid username/password combination.') // no detail for security 'User found but no password match')
           error.statusCode = 400
           throw error
         }

test/unit/password-authenticator-test.js

@@ -90,7 +90,7 @@ describe('PasswordAuthenticator', () => {
       pwAuth.findValidUser()
         .catch(error => {
           expect(error.statusCode).to.equal(400)
-          expect(error.message).to.equal('No user found for that username')
+          expect(error.message).to.equal('Invalid username/password combination.')
           done()
         })
     })
@@ -111,7 +111,7 @@ describe('PasswordAuthenticator', () => {
       pwAuth.findValidUser()
         .catch(error => {
           expect(error.statusCode).to.equal(400)
-          expect(error.message).to.equal('User found but no password match')
+          expect(error.message).to.equal('Invalid username/password combination.')
           done()
         })
     })