Prevent attackers from enumerating valid usernames in the system
defmodule UserController do
use MyAppWeb, :controller
def login(conn, %{'username' => username, 'password' => password}) do
case Accounts.get_user_by_username(username) do
nil -> send_resp(conn, 400, "User does not exist")
user ->
if user.password == password,
do: send_resp(conn, 200, "Logged in successfully")
else: send_resp(conn, 400, "Wrong password")
end
end
end
end
The above code is vulnerable to user enumeration. When a user tries to log in, the application responds differently depending on whether the provided username exists or not. If the username doesn't exist, it sends back a 'User does not exist' message. If the username exists but the password is wrong, it sends back a 'Wrong password' message. An attacker could use these differing responses to enumerate the existing users.
defmodule UserController do
use MyAppWeb, :controller
def login(conn, %{'username' => username, 'password' => password}) do
case Accounts.get_user_by_username(username) do
nil -> send_resp(conn, 400, "Incorrect credentials")
user ->
if user.password == password,
do: send_resp(conn, 200, "Logged in successfully")
else: send_resp(conn, 400, "Incorrect credentials")
end
end
end
end
In the secure code example, the server's response is the same ('Incorrect credentials') for both existent and non-existent users. This prevents an attacker from being able to enumerate the existing users based on the server's responses.