Skip to content

Security Fixes: User Enumeration Mitigation and Removal of Password Hash Exposure #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Noxurge wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Security Fixes: User Enumeration Mitigation and Removal of Password Hash Exposure #34

Noxurge wants to merge 2 commits into from

Conversation

@Noxurge
Copy link

@Noxurge Noxurge commented Nov 30, 2025

This pull request introduces two security fixes related to authentication behavior and exposure of sensitive data in user-related API responses.

1 - User Enumeration Mitigation

The authentication endpoint returned different error messages depending on whether the username existed or not.
This allowed attackers to determine valid usernames by comparing responses.

Fix implemented

  • Unified authentication error responses.

  • All invalid login attempts now return the same generic message.

2 - Removal of Password Hash Exposure

The user detail API was including password hashes in the returned data, which is unnecessary and unsafe.

Fix implemented

  • Sensitive fields were removed from all user-related API serializers.

  • Ensured password hashes are not returned under any condition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Noxurge