🥅 Align LDAP auth errors with regular auth errors.

2025-12-06 22:43:10 -06:00 · 2023-05-02 15:11:51 +03:00 · 2023-05-02 15:11:51 +03:00 · a6b8ea963d
parent 3e471fcf86
commit a6b8ea963d
1 changed files with 26 additions and 4 deletions
--- a/clientapi/auth/password.go
+++ b/clientapi/auth/password.go
@ -268,18 +268,40 @@ func (t *LoginTypePassword) authenticateLdap(username, password string) (bool, *
 		userDN := result.Entries[0].DN
 		err = conn.Bind(userDN, password)
 		if err != nil {
+			var localpart string
+			localpart, _, err = userutil.ParseUsernameParam(username, t.Config.Matrix)
+			if err != nil {
+				return false, &util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.InvalidUsername(err.Error()),
+				}
+			}
+			if t.Rt != nil {
+				t.Rt.Act(localpart)
+			}
 			return false, &util.JSONResponse{
-				Code: http.StatusUnauthorized,
-				JSON: jsonerror.InvalidUsername(err.Error()),
+				Code: http.StatusForbidden,
+				JSON: jsonerror.Forbidden("The username or password was incorrect or the account does not exist."),
 			}
 		}
 	} else {
 		bindDn := strings.ReplaceAll(t.Config.Ldap.UserBindDn, "{username}", username)
 		err = conn.Bind(bindDn, password)
 		if err != nil {
+			var localpart string
+			localpart, _, err = userutil.ParseUsernameParam(username, t.Config.Matrix)
+			if err != nil {
+				return false, &util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.InvalidUsername(err.Error()),
+				}
+			}
+			if t.Rt != nil {
+				t.Rt.Act(localpart)
+			}
 			return false, &util.JSONResponse{
-				Code: http.StatusUnauthorized,
-				JSON: jsonerror.InvalidUsername(err.Error()),
+				Code: http.StatusForbidden,
+				JSON: jsonerror.Forbidden("The username or password was incorrect or the account does not exist."),
 			}
 		}
 	}