feat: enhance user authentication by adding specific error handling for non-existent accounts

2026-05-23 19:05:16 +02:00 · 2026-02-08 17:10:40 +05:30 · 2026-02-08 17:10:40 +05:30 · 54b4501ca6
commit 54b4501ca6
parent 20a13df7e7
2 changed files with 32 additions and 1 deletions
--- a/surfsense_backend/app/users.py
+++ b/surfsense_backend/app/users.py
@ -2,7 +2,7 @@ import logging
 import uuid

 import httpx
-from fastapi import Depends, Request, Response
+from fastapi import Depends, HTTPException, Request, Response
 from fastapi.responses import JSONResponse, RedirectResponse
 from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin, models
 from fastapi_users.authentication import (
@ -180,6 +180,32 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
    ):
        print(f"Verification requested for user {user.id}. Verification token: {token}")

+    async def authenticate(self, credentials):
+        """
+        Override to return a specific error when user account doesn't exist,
+        instead of a generic LOGIN_BAD_CREDENTIALS.
+        """
+        from fastapi_users.exceptions import UserNotExists
+
+        try:
+            user = await self.get_by_email(credentials.username)
+        except UserNotExists:
+            # Still hash the password to mitigate timing attacks
+            self.password_helper.hash(credentials.password)
+            raise HTTPException(
+                status_code=400,
+                detail="LOGIN_USER_NOT_FOUND",
+            ) from None
+
+        verified, updated_password_hash = self.password_helper.verify_and_update(
+            credentials.password, user.hashed_password
+        )
+        if not verified:
+            return None
+        if updated_password_hash is not None:
+            await self.user_db.update(user, {"hashed_password": updated_password_hash})
+        return user
+

 async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db)):
    yield UserManager(user_db)