Skip to content

sec(auth): collapse 'MFA not configured' into generic auth failure (closes #391)#830

Merged
cristim merged 1 commit into
feat/multicloud-web-frontendfrom
fix/391-wave10
Jun 3, 2026
Merged

sec(auth): collapse 'MFA not configured' into generic auth failure (closes #391)#830
cristim merged 1 commit into
feat/multicloud-web-frontendfrom
fix/391-wave10

Conversation

@cristim
Copy link
Copy Markdown
Member

@cristim cristim commented May 28, 2026

Summary

  • Collapses the "MFA is enabled but not configured" error into the same generic "Check your email address and password and try again" response used for wrong passwords, so a credential-stuffing attacker cannot distinguish "password correct, MFA data broken" from "wrong password"
  • Adds an internal logging.Errorf (user ID only, no email/PII) so operators can detect the data-integrity anomaly without relying on the API response
  • Removes the now-dead substring match from mapMFAServiceError in handler_auth.go
  • Extends TestLogin_WithMFA_NoSecret with a sub-test that asserts both paths return the identical generic error body

Test plan

  • go test github.com/LeanerCloud/CUDly/internal/auth/... -run TestLogin_WithMFA_NoSecret -- all 3 sub-tests pass
  • go build ./... clean
  • Verify wrong-password and right-password-no-MFA-secret return the same HTTP 401 body via curl / integration test

Closes #391

@cristim cristim added triaged Item has been triaged priority/p3 Polish / idea / may never ship severity/low Minor harm urgency/eventually No deadline impact/few Limited audience effort/xs Trivial / one-liner type/security Security finding labels May 28, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026
edited
Loading

Warning

Review limit reached

@cristim, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 3 minutes and 31 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec8dae36-e30e-4376-8174-3e36be390bd5

📥 Commits

Reviewing files that changed from the base of the PR and between eb85a50 and 2dc84e2.

📒 Files selected for processing (3)
  • internal/api/handler_auth.go
  • internal/auth/service.go
  • internal/auth/service_test.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/391-wave10

Comment @coderabbitai help to get the list of available commands and usage tips.

@cristim
Copy link
Copy Markdown
Member Author

cristim commented May 28, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim
Copy link
Copy Markdown
Member Author

cristim commented May 30, 2026

@coderabbitai full review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 30, 2026

✅ Actions performed

Full review triggered.

@cristim
sec(auth): collapse MFA-not-configured into generic auth failure (closes
2dc84e2 
 #391)

When MFA is enabled but the secret is missing (data-integrity anomaly),
returning a distinct "MFA is enabled but not configured" error reveals that
the supplied password was correct. Collapse the branch to the same generic
"Check your email address and password and try again" message used for wrong
passwords, and log the anomaly internally (by user ID, no PII) so operators
can detect it without relying on the API response.

Remove the dead substring match from mapMFAServiceError in handler_auth.go.
Add a sub-test that asserts both paths return an identical response body.
@cristim
Copy link
Copy Markdown
Member Author

cristim commented Jun 3, 2026

Rebased on feat/multicloud-web-frontend. Resolved a conflict in internal/auth/service_test.go:

Verified post-rebase: gofmt clean, go vet clean, go build ok, and go test ./internal/auth/... ./internal/api/... -> 1909 passed.

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 3, 2026
edited
Loading

@cristim Thanks for the detailed rebase notes — the Role: RoleUser drop aligns cleanly with the group-permission model merge, and the security invariant (identical generic response for both failure paths) looks preserved. Triggering an incremental review on the rebased branch now.

🧠 Learnings used 
Learnt from: cristim
Repo: LeanerCloud/CUDly PR: 0
File: :0-0
Timestamp: 2026-05-05T15:44:54.463Z
Learning: In the LeanerCloud/CUDly repository, when a CodeRabbit review flags something as "outside-diff" that was already implemented in an earlier commit of the same PR, it is likely a stale-snapshot artifact where the review diff was generated against a pre-fix view. The inline comment convention `(CR pass on PR #<number> Finding N)` is used by the maintainer (cristim) to mark lines that were changed in direct response to a prior CodeRabbit review pass.
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim cristim merged commit 878046e into feat/multicloud-web-frontend Jun 3, 2026
4 checks passed
This was referenced Jun 3, 2026
Closed
Open
Open
Open
Merged
@cristim cristim deleted the fix/391-wave10 branch June 3, 2026 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

effort/xs Trivial / one-liner impact/few Limited audience priority/p3 Polish / idea / may never ship severity/low Minor harm triaged Item has been triaged type/security Security finding urgency/eventually No deadline

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cristim