improve logging when user authentication fails - related to issue #681

d2151f9b · Lloyd Hilaiel · 78cbbd26 · d2151f9b
Commit d2151f9b authored 13 years ago by Lloyd Hilaiel
--- a/lib/wsapi/authenticate_user.js
+++ b/lib/wsapi/authenticate_user.js
@@ -14,18 +14,29 @@ exports.authed = false;
 exports.args = ['email','pass'];

 exports.process = function(req, res) {
+  function fail(reason) {
+    var r = { success: false };
+    if (reason) r.reason = reason;
+    logger.debug('authentication fails for user: ' + req.body.email);
+    return res.json(r);
+  }
+
  db.checkAuth(req.body.email, function(hash) {
-    if (typeof hash !== 'string' || typeof req.body.pass !== 'string')
-    {
-      return res.json({ success: false });
+    if (typeof hash !== 'string') {
+      return fail('no such user');
+    }
+    // this should never be false because higher level code checks, but
+    // let's check again!  whee!
+    if (typeof req.body.pass !== 'string') {
+      return fail('missing "pass" argument');
    }

    bcrypt.compare(req.body.pass, hash, function (err, success) {
      if (err) {
-        logger.warn("error comparing passwords with bcrypt: " + err);
-        res.json({ success: false });
+        logger.error("error comparing passwords with bcrypt: " + err);
+        return fail("internal password check error");
      } else if (!success) {
-        res.json({ success: false });
+        return fail("mismatch");
      } else {
        if (!req.session) req.session = {};
        wsapi.setAuthenticatedUser(req.session, req.body.email);