Hello
We want to change the texts “No such user” and “Invalid credential” error messages to another text.
Can you please help us? Thank you in advance.
It’s not (easily) possible to make such changes. What are you trying to change there?
Is it to not disclose whether a user exists or not by any chance?
Yes, we have a security issue with this, we need to change the text to another more “general”. Is there a workaround for this?
Currently it’s expected behavior in Indico to show “user-friendly” errors where you immediately know whether the username you entered actually exists or not.
However, there’s a work-in-progress pull request that would add a setting to change this behavior. So in a future version you may be able to configure Indico to not disclose this information.
Thanks for your response. Is it possible to make the text change in the .po file?
No.
This change MAY work (I did not test it):
diff --git a/indico/core/auth.py b/indico/core/auth.py
index ef582e3a15..25c1e7999e 100644
--- a/indico/core/auth.py
+++ b/indico/core/auth.py
@@ -115,6 +115,8 @@ class IndicoMultipass(Multipass):
fn = logger.debug
fn('Authentication via %s failed: %s (%r)', exc.provider.name if exc.provider else None, exc_str,
exc.details)
+ if isinstance(exc, NoSuchUser):
+ exc = InvalidCredentials('Invalid credentials')
return super().handle_auth_error(exc, redirect_to_login=redirect_to_login)
There will still be other ways to know if someone has an account though, e.g. via the “reset password” feature. This change above only hides the existence of valid usernames.
We got an “Internal Server Error”
it was untested. check the log for error, or try running indico shell to get the traceback if it happens at startup time