Ah I'd like to add that the password reset request form (and I imagine the verify account re-send form) also has this issue of revealing whether or not an account exists in the system.Ideally, this would be a unilateral configuration option to mask this leakage on all forms and in all messages. I believe this would be a common requirement for others...
Thanks for your response,I don't suppose there is anyway to persuade you that this should be an option? Are you opposed to it in principle or it just hasn't been a priority.
In my case, the site is of a sensitive nature and it is an absolute necessity that this information is not so trivially leaked. I agree that timing attacks can reveal this information anyway but these are not the only type of attacker to be concerned with.
For instance, a hypothetical situation (adjacent example to mine, but not the same), is a website which provides resources to victims of ongoing domestic abuse. It is a very different thing for an average Joe (say the partner of this victim, in my hypothetical) to check if their victim is using the site than it is for an advanced attacker trying to gain access to sensitive information. Not revealing information in the login and password reset forms makes an immense difference to the users of that site in protecting their safety from people in their actual lives. That aspect of the scenario is relevant to my specific use-case, where our customers are regularly the targets of doxxing and harassment.
My point is that every other authentication that tries to do this fails to do it correctly (e.g. be timing attack resistant) in all cases, so the main security difference between Rodauth and other authentication systems is that Rodauth does not give you a false sense of security. It's extremely difficult to do this correctly in all cases, and for the vast majority of applications using Rodauth, it shouldn't matter as the default Rodauth behavior makes more sense.
I can appreciate this use case. FWIW, users that care about this should be using custom email addresses not tied to any online identity, but that's an unrealistic expectation for the average user.
Your current best bet is to override Rodauth's templates and use the existing configuration methods to make sure the same messages are used in both cases.
I think one possible way to solve this so you could avoid overriding the templates would be to introduce a configuration method for the parameter name to use for the field error if the password is incorrect (this would default to the password parameter). Then you could set that to the login parameter, and use the existing configuration method for the incorrect password message to be generic. I would be open to such a pull request.
I think one possible way to solve this so you could avoid overriding the templates would be to introduce a configuration method for the parameter name to use for the field error if the password is incorrect (this would default to the password parameter). Then you could set that to the login parameter, and use the existing configuration method for the incorrect password message to be generic. I would be open to such a pull request.
I think one possible way to solve this so you could avoid overriding the templates would be to introduce a configuration method for the parameter name to use for the field error if the password is incorrect (this would default to the password parameter). Then you could set that to the login parameter, and use the existing configuration method for the incorrect password message to be generic. I would be open to such a pull request.That's certainly an interesting idea. It could be used by integrators like myself who wish to obscure the failure mode without the risk you are weary about of over-promising on the security front.Thanks. I will likely go the template route for now, but since I am writing a few `features` for this integration (Yubikey TOTP, Devise migration "feature", a CAPTCHA on login (from certain IPs) feature, and a haveibeenpwned.com password check feature), I may prototype that idea in that way and see where it leads.
This does make me wonder if you could point me in the direction of an externally-implemented Rodauth feature which you see as robustly tested, should one exist, so that I might study it to eventually make some of these features I'll work on publicly available for others? I think the HIBP password check is a natural extension of the existing "common" passwords check and might be useful to others, as would the Yubikey TOTP (as an alternative to the existing TOTP and Webauthn features).
Janko recently release the rodauth-pwned gem, so you can probably use that instead of writing one yourself: https://github.com/janko/rodauth-pwned
This does make me wonder if you could point me in the direction of an externally-implemented Rodauth feature which you see as robustly tested, should one exist, so that I might study it to eventually make some of these features I'll work on publicly available for others? I think the HIBP password check is a natural extension of the existing "common" passwords check and might be useful to others, as would the Yubikey TOTP (as an alternative to the existing TOTP and Webauthn features).I haven't reviewed any of the external Rodauth gems. However, they are functionally the same as the features that ship with Rodauth itself (by design). So looking at the features that ship with Rodauth should give you ample examples. All of the features that ship with Rodauth are robustly tested (100% line and branch coverage).
I thought of another approach with current Rodauth for doing what you want without overriding the templates, and that is using the *_view configuration methods, modifying the field errors, and calling super:login_view doif field_error(login_param)set_field_error(login_param, nil)set_field_error(password_param, invalid_password_message)endsuper()end