fix!: api login should not suggest which credential is wrong (#32159)

.changeset/fuzzy-cherries-buy.md

@@ -0,0 +1,7 @@
+---
+"@rocket.chat/meteor": major
+---
+
+Api login should not suggest which credential is wrong (password/username)
+
+Failed login attemps will always return `Unauthorized` instead of the internal fail reason

apps/meteor/app/lib/server/lib/loginErrorMessageOverride.js

@@ -1,14 +0,0 @@
-// Do not disclose if user exists when password is invalid
-import { Accounts } from 'meteor/accounts-base';
-import { Meteor } from 'meteor/meteor';
-
-const { _runLoginHandlers } = Accounts;
-Accounts._runLoginHandlers = function (methodInvocation, options) {
-	const result = _runLoginHandlers.call(Accounts, methodInvocation, options);
-
-	if (result.error && result.error.reason === 'Incorrect password') {
-		result.error = new Meteor.Error(403, 'User not found');
-	}
-
-	return result;
-};

apps/meteor/app/lib/server/lib/loginErrorMessageOverride.ts

@@ -0,0 +1,16 @@
+// Do not disclose if user exists when password is invalid
+import { Accounts } from 'meteor/accounts-base';
+import { Meteor } from 'meteor/meteor';
+
+const { _runLoginHandlers } = Accounts;
+
+Accounts._options.ambiguousErrorMessages = true;
+Accounts._runLoginHandlers = async function (methodInvocation, options) {
+	const result = await _runLoginHandlers.call(Accounts, methodInvocation, options);
+
+	if (result.error instanceof Meteor.Error) {
+		result.error = new Meteor.Error(401, 'User not found');
+	}
+
+	return result;
+};

apps/meteor/client/meteorOverrides/login/google.ts

@@ -8,16 +8,6 @@ import { overrideLoginMethod, type LoginCallback } from '../../lib/2fa/overrideL
 import { wrapRequestCredentialFn } from '../../lib/wrapRequestCredentialFn';
 import { createOAuthTotpLoginMethod } from './oauth';
 
-declare module 'meteor/accounts-base' {
-	// eslint-disable-next-line @typescript-eslint/no-namespace
-	namespace Accounts {
-		export const _options: {
-			restrictCreationByEmailDomain?: string | (() => string);
-			forbidClientAccountCreation?: boolean | undefined;
-		};
-	}
-}
-
 declare module 'meteor/meteor' {
 	// eslint-disable-next-line @typescript-eslint/no-namespace
 	namespace Meteor {

apps/meteor/definition/externals/meteor/accounts-base.d.ts

@@ -23,7 +23,7 @@ declare module 'meteor/accounts-base' {
 
 		function _insertLoginToken(userId: string, token: { token: string; when: Date }): void;
 
-		function _runLoginHandlers<T>(methodInvocation: T, loginRequest: Record<string, any>): LoginMethodResult | undefined;
+		function _runLoginHandlers<T>(methodInvocation: T, loginRequest: Record<string, any>): Promise<LoginMethodResult>;
 
 		function registerLoginHandler(name: string, handler: (options: any) => undefined | object): void;
 
@@ -57,6 +57,14 @@ declare module 'meteor/accounts-base' {
 
 		const _accountData: Record<string, any>;
 
+		interface AccountsServerOptions {
+			ambiguousErrorMessages?: boolean;
+			restrictCreationByEmailDomain?: string | (() => string);
+			forbidClientAccountCreation?: boolean | undefined;
+		}
+
+		export const _options: AccountsServerOptions;
+
 		// eslint-disable-next-line @typescript-eslint/no-namespace
 		namespace oauth {
 			function credentialRequestCompleteHandler(

apps/meteor/tests/end-to-end/api/failed-login-attempts.ts

@@ -54,7 +54,7 @@ describe('[Failed Login Attempts]', () => {
 			.expect(401)
 			.expect((res) => {
 				expect(res.body).to.have.property('status', 'error');
-				expect(res.body).to.have.property('message', 'Incorrect password');
+				expect(res.body).to.have.property('message', 'Unauthorized');
 			});
 	}