Self-Hosted
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Stop leaking usernames when SIGNUPS_ALLOWED=false

Browse Source 
This fixes #691 - respond in less specific way to not leak the
fact that user is already registered on the server.
pull/695/head
Miro Prasil 5 years ago
parent 77b78f0991
commit 00a11b1b78
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File

10
src/api/core/accounts.rs
Unescape View File

@ -62,7 +62,11 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
let mut user = match User::find_by_mail(&data.Email, &conn) { let mut user = match User::find_by_mail(&data.Email, &conn) {
Some(user) => { Some(user) => {
if !user.password_hash.is_empty() { if !user.password_hash.is_empty() {
err!("User already exists") if CONFIG.signups_allowed() {
err!("User already exists")
} else {
err!("Registration not allowed or user already exists")
}
} }
if let Some(token) = data.Token { if let Some(token) = data.Token {
@ -82,14 +86,14 @@ fn register(data: JsonUpcase<RegisterData>, conn: DbConn) -> EmptyResult {
} else if CONFIG.signups_allowed() { } else if CONFIG.signups_allowed() {
err!("Account with this email already exists") err!("Account with this email already exists")
} else { } else {
err!("Registration not allowed") err!("Registration not allowed or user already exists")
} }
} }
None => { None => {
if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) { if CONFIG.signups_allowed() || Invitation::take(&data.Email, &conn) {
User::new(data.Email.clone()) User::new(data.Email.clone())
} else { } else {
err!("Registration not allowed") err!("Registration not allowed or user already exists")
} }
} }
}; };

Write Preview
Loading…
Cancel
Save