Handle passwordless identities during sign-in#1416
Open
AITechTim wants to merge 1 commit into
Open
Conversation
17194c9 to
a1515c2
Compare
Contributor
There was a problem hiding this comment.
1 issue found across 6 files
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
(cherry picked from commit c46402b) Signed-off-by: AITechTim <schmittmann@cancilico.com>
a1515c2 to
a6a7bdb
Compare
Contributor
|
Hello @AITechTim, we are looking into your PR internally and will come back to you soon, thanks for your contribution 🙏 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
INVALID_CREDENTIALSGraphQL error for passwordless identities as for unknown users or wrong passwords, avoiding account-state enumeration.Why
Invited accounts can exist without a local password hash, especially when they were created through invite or SSO-first flows. Password login for those accounts previously reached password verification with a nil hash and surfaced as an internal server error. This keeps the internal error typed while ensuring unauthenticated sign-in responses remain indistinguishable.
Validation
npm ciPATH=/usr/local/go/bin:$PATH make @probo/emailsPATH=/usr/local/go/bin:$PATH make relayPATH=/usr/local/go/bin:$PATH make generate/usr/local/go/bin/go test ./pkg/iam ./pkg/server/gqlutils ./pkg/server/api/connect/v1npm --workspace @probo/console run check../../node_modules/.bin/eslint --no-warn-ignored src/pages/iam/auth/sign-in/PasswordSignInPage.tsx src/pages/iam/auth/ForgotPasswordPage.tsxgit diff --checkNotes
The commit includes the required DCO
Signed-off-bytrailer and is GPG-signed with a GitHub-verified key. The account-state enumeration review thread is addressed by commita6a7bdb.