[REST] Change "user not found" to "$1 or password wrong"

[soundstorm]

Some users are trying to login via App and perhaps mistype their password.
We're just yielding "user not found" in every case of user/pw mismatch, changing that message to "user not found or password wrong" as on web frontend would be better.

[TwizzyDizzy]

Hi @soundstorm

I disagree with differentiating between "password wrong" and "user doesn't exist" (which would enable an attacker to check whether a username already exists which could be a privacy issue).

Yet I agree with you that the wording is rather unfortunate.

I'd suggest something along the lines of

Login attempt failed. Please make sure your username and password are correct.

Cheers
Twizzy

[soundstorm]

@TwizzyDizzy meant "User not found or password wrong", regular frontend login retuns a message like this, but when using the API like in our apps it just retuns that the user is nonexisting, which is confusing. So we just need to match those phrases or replace it with the sentence you recommended.

[rodrigok]

@soundstorm Which app are you using? This seems to be a client issue when showing a friendly message to the user and not a REST problem

[rodrigok]

Our server does not return User not found for REST API since version 0.60.0

Corrent example is:

 curl -g https://open.rocket.chat/api/v1/login -H Content-Type:application/json -d '{"username":"user.unexistent.alsjkda","password":"asd"}'

Response:

{"status":"error","error":"Unauthorized","message":"Unauthorized"

How client would handle this message is not responsibility of the REST interface. We reply Unauthorized is user does not exists or if the password is wrong.

So I'll close this issue, please let me know if I missed something.