Login: show whether username or password was wrong

I get a fair number of "forgot password" emails where the person is actually trying to log in with the wrong username. Normally, a login system shouldn't display whether the username or password was the incorrect part, but since it's already public information which usernames exist on Tildes (simply by visiting /user/<username>), this really isn't meaningfully hiding anything. It would only have any effect on the most absolutely naive attackers. I think it's an acceptable trade-off to help out people that are inadvertently trying to log in with the wrong username instead.
2026-04-16 06:18:34 +02:00 · 2020-05-08 18:22:17 -06:00
parent d901abfb84
commit 25e4207563
1 changed files with 25 additions and 4 deletions
--- a/tildes/tildes/views/login.py
+++ b/tildes/tildes/views/login.py
@@ -81,16 +81,37 @@ def post_login(
        .one_or_none()
    )

-    # If that user doesn't exist or the password was wrong, error out
-    if not user or not user.is_correct_password(password):
+    # If the username doesn't exist, tell them so - usually this isn't considered a good
+    # practice, but it's completely trivial to check if a username exists on Tildes
+    # anyway (by visiting /user/<username>), so it's better to just let people know if
+    # they're trying to log in with the wrong username
+    if not user:
        incr_counter("login_failures")

        # log the failure - need to manually commit because of the exception
-        log_entry = Log(LogEventType.USER_LOG_IN_FAIL, request, {"username": username})
+        log_entry = Log(
+            LogEventType.USER_LOG_IN_FAIL,
+            request,
+            {"username": username, "reason": "Nonexistent username"},
+        )
        request.db_session.add(log_entry)
        request.tm.commit()

-        raise HTTPUnprocessableEntity("Incorrect username or password")
+        raise HTTPUnprocessableEntity("That username does not exist")
+
+    if not user.is_correct_password(password):
+        incr_counter("login_failures")
+
+        # log the failure - need to manually commit because of the exception
+        log_entry = Log(
+            LogEventType.USER_LOG_IN_FAIL,
+            request,
+            {"username": username, "reason": "Incorrect password"},
+        )
+        request.db_session.add(log_entry)
+        request.tm.commit()
+
+        raise HTTPUnprocessableEntity("Incorrect password")

    # Don't allow banned users to log in
    if user.is_banned: