From bd65ba54b457282214f08793b319897a62f8c13a Mon Sep 17 00:00:00 2001
From: Vexx <advikdivekar@gmail.com>
Date: Sat, 23 May 2026 20:08:46 +0530
Subject: [PATCH] Unify auth failure message to prevent user enumeration

Returning distinct messages ('Email is invalid' vs 'Invalid password')
let attackers automate POST /api/auth/login across an email list and
determine which addresses are registered purely from the response body.

Both failure paths now return 'Invalid credentials' so no information
about account existence is revealed to the caller.

Fixes #445
---
 backend/config/passportConfig.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/config/passportConfig.js b/backend/config/passportConfig.js
index 842f50ca..21e90943 100644
--- a/backend/config/passportConfig.js
+++ b/backend/config/passportConfig.js
@@ -9,12 +9,12 @@ passport.use(
             try {
                 const user = await User.findOne( {email} );
                 if (!user) {
-                    return done(null, false, { message: 'Email is invalid '});
+                    return done(null, false, { message: 'Invalid credentials' });
                 }
 
                 const isMatch = await user.comparePassword(password);
                 if (!isMatch) {
-                    return done(null, false, { message: 'Invalid password' });
+                    return done(null, false, { message: 'Invalid credentials' });
                 }
 
                 return done(null, {