merge: Prevent user enumeration

Closes #187

See merge request opensavvy/formulaide!111

Author: maximegirardet

Diff for: fake/src/commonMain/kotlin/User.kt

@@ -15,6 +15,7 @@ import opensavvy.formulaide.core.data.Email
 import opensavvy.formulaide.core.data.Password
 import opensavvy.formulaide.core.data.Token
 import opensavvy.formulaide.fake.utils.newId
+import opensavvy.state.Failure
 import opensavvy.state.outcome.*
 import kotlin.random.Random
 import kotlin.random.nextUInt
@@ -159,10 +160,12 @@ class FakeUsers : User.Service {
 
 	override suspend fun logIn(email: Email, password: Password): Outcome<Pair<User.Ref, Token>> = out {
 		lock.withPermit {
-			val (id, user) = users.asSequence().first { it.value.email == email }
-			ensureFound(user.active) { "Could not find user $email" }
-			ensureAuthenticated(passwords[id] == password) { "Incorrect password" }
-			ensureAuthenticated(id !in blocked) { "The single-use password has already been used." }
+			val (id, user) = users.asSequence()
+				.firstOrNull { it.value.email == email }
+				?: shift(Failure(Failure.Kind.Unauthenticated, "Invalid credentials"))
+			ensureAuthenticated(user.active) { "Invalid credentials" }
+			ensureAuthenticated(passwords[id] == password) { "Invalid credentials" }
+			ensureAuthenticated(id !in blocked) { "Invalid credentials" }
 
 			val token = Token("very-strong-token-${Random.nextUInt()}")
 			tokens.getOrPut(id) { ArrayList() }

Diff for: test/src/commonMain/kotlin/User.kt

@@ -6,6 +6,7 @@ import kotlinx.coroutines.withContext
 import opensavvy.backbone.Ref.Companion.now
 import opensavvy.formulaide.core.Auth
 import opensavvy.formulaide.core.User
+import opensavvy.formulaide.core.data.Email
 import opensavvy.formulaide.core.data.Email.Companion.asEmail
 import opensavvy.formulaide.core.data.Password
 import opensavvy.formulaide.core.data.Token
@@ -292,7 +293,8 @@ abstract class UserTestCases : TestCase<User.Service> {
 		assertSuccess(employee.disable())
 		val email = employee.now().orThrow().email
 
-		assertNotFound(users.logIn(email, singleUse))
+		// do not return NotFound! -> it would help an attacker enumerate users
+		assertUnauthenticated(users.logIn(email, singleUse))
 	}
 
 	@Test
@@ -383,4 +385,14 @@ abstract class UserTestCases : TestCase<User.Service> {
 		assertUnauthenticated(employee.verifyToken(token2))
 	}
 
+	@Test
+	@JsName("logInFalseUser")
+	fun `cannot log in as a user that doesn't exist`() = runTest {
+		val users = new()
+
+		// No user was created, this user cannot exist
+		//   do not return a NotFound! it would help an attacker enumerate accounts
+		assertUnauthenticated(users.logIn(Email("[email protected]"), Password("whatever")))
+	}
+
 }