diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/user/UserAPIController.java b/src/main/java/org/wise/portal/presentation/web/controllers/user/UserAPIController.java index ca965b81f..8e1b52f53 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/user/UserAPIController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/user/UserAPIController.java @@ -179,6 +179,7 @@ private boolean isGoogleClassroomEnabled() { return !googleClientId.isEmpty() && !googleClientSecret.isEmpty(); } + @Secured("ROLE_USER") @PostMapping("/check-authentication") HashMap checkAuthentication(@RequestParam("username") String username, @RequestParam("password") String password) { @@ -188,12 +189,18 @@ HashMap checkAuthentication(@RequestParam("username") String use response.put("isUsernameValid", false); response.put("isPasswordValid", false); } else { + boolean isPasswordValid = userService.isPasswordCorrect(user, password); response.put("isUsernameValid", true); - response.put("isPasswordValid", userService.isPasswordCorrect(user, password)); - response.put("userId", user.getId()); - response.put("username", user.getUserDetails().getUsername()); - response.put("firstName", user.getUserDetails().getFirstname()); - response.put("lastName", user.getUserDetails().getLastname()); + response.put("isPasswordValid", isPasswordValid); + // Only reveal the account id and real name once the correct password has been + // provided, so this endpoint cannot be used to harvest user ids and real names + // by probing usernames. + if (isPasswordValid) { + response.put("userId", user.getId()); + response.put("username", user.getUserDetails().getUsername()); + response.put("firstName", user.getUserDetails().getFirstname()); + response.put("lastName", user.getUserDetails().getLastname()); + } } return response; }