Can I check error message whether invalid username or not

#1

I checked the login api.

It shows invalid username / password.

I’d like to check invalid username or not.

#2

It may be not, you can check the username exists first and then if the error message emit, you can know the password is invalid.

1 Like
#3

This is the unique way I see for you to do it. First do a query in User class in order to check the existence of the username, then try to log in. In order to query a User by its username you will have to create a cloud code function and pass the useMasterKey option. Give it a try and let me know if you have any problem doing that.

1 Like
#4

AH, I’m a Node developer, I use parse-server for my database server and I warp a layer API of bread outside the application such as /api/user/login or /api/user/signup and so on. I can also use some SMS Code cloud server with my layer API.

#5

This is actually also a very good way to use Parse. I know many developers that use to keep all classes private and create cloud code functions for each endpoint that they need to expose.

#6

Hello, what are you trying to do is a bad practice because is a potential security leak. This way you are exposing that email or username that you are looking for is a part of the system.

You can see the most popular companies and providers working very hard on that to protect their databases. When you want to reset your password for example you can see there message like this: “We’ve sent password reset email if you are registered in our system” …

I hope this information to be helpful.

3 Likes
#7

@mignev makes a very valid point…

See this explantation on why it is an issue.

To summarise:

Often, web applications reveal when a username exists on system, either as a consequence of a misconfiguration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username/password attack.

Not only is this a security risk, if on your app usernames should be kept private, this would also cause a breach of privacy.


For example, in v3.1.0 the Parse Server password reset behaviour was changed so that it returns success on sendPasswordResetEmail even if an email is not found - see my answer to a question about this on Stack Overflow

3 Likes