Auth: do not expose disabled user disabled status (#18229)

Fixes #17947
6 years ago · d16fd58bdb
parent 4b16cd6cc8
commit d16fd58bdb
2 changed files with 11 additions and 4 deletions
--- a/pkg/api/login.go
+++ b/pkg/api/login.go
@ -81,7 +81,7 @@ func tryOAuthAutoLogin(c *models.ReqContext) bool {
 	}
 	oauthInfos := setting.OAuthService.OAuthInfos
 	if len(oauthInfos) != 1 {
-		log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured.")
+		log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured")
 		return false
 	}
 	for key := range setting.OAuthService.OAuthInfos {
@ -114,12 +114,16 @@ func (hs *HTTPServer) LoginPost(c *models.ReqContext, cmd dtos.LoginCommand) Res
 	}

 	if err := bus.Dispatch(authQuery); err != nil {
+		e401 := Error(401, "Invalid username or password", err)
 		if err == login.ErrInvalidCredentials || err == login.ErrTooManyLoginAttempts {
-			return Error(401, "Invalid username or password", err)
+			return e401
 		}

+		// Do not expose disabled status,
+		// just show incorrect user credentials error (see #17947)
 		if err == login.ErrUserDisabled {
-			return Error(401, "User is disabled", err)
+			hs.log.Warn("User is disabled", "user", cmd.User)
+			return e401
 		}

 		return Error(500, "Error while trying to authenticate user", err)
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@ -191,8 +191,11 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 		return
 	}

+	// Do not expose disabled status,
+	// just show incorrect user credentials error (see #17947)
 	if cmd.Result.IsDisabled {
-		hs.redirectWithError(ctx, login.ErrUserDisabled)
+		oauthLogger.Warn("User is disabled", "user", cmd.Result.Login)
+		hs.redirectWithError(ctx, login.ErrInvalidCredentials)
 		return
 	}