[Security] Unify auth failure message to prevent user enumeration

[advikdivekar]

Problem

backend/config/passportConfig.js returned two distinct error messages from the login strategy:

• 'Email is invalid ' — when no account matched the submitted email
• 'Invalid password' — when the email existed but the password was wrong

Any unauthenticated caller could automate POST /api/auth/login across a list of email addresses and, purely from the response body, determine which ones are registered in the database. With the wildcard CORS policy that was in place, this enumeration could be driven from any webpage with no browser restriction whatsoever. The harvested list is directly usable for targeted phishing, credential-stuffing against other services, or identifying high-value accounts.

Changes

backend/config/passportConfig.js

• Line 12: changed 'Email is invalid ' → 'Invalid credentials'
• Line 17: changed 'Invalid password' → 'Invalid credentials'

Both failure paths now return the identical generic message. The caller learns only that authentication failed — nothing about whether the email is registered.

Why this approach fixes the root cause

User enumeration works because the attacker can distinguish two states. Collapsing both failure cases to one identical message removes the signal entirely. This is the industry-standard approach (used by every major auth provider) and requires no additional infrastructure — it is a two-line change at the point where the distinction is generated.

Steps to test

1. Start the backend (npm start in backend/).
2. POST /api/auth/login with an email that does not exist in the database and any password.
   • Expected response: { "message": "Invalid credentials" }
3. POST /api/auth/login with a registered email and a wrong password.
   • Expected response: { "message": "Invalid credentials" }
4. Confirm both responses are byte-for-byte identical — no timing or body difference reveals account existence.
5. POST /api/auth/login with correct credentials — login succeeds as normal.

Edge cases covered

• Unregistered email + any password → Invalid credentials
• Registered email + wrong password → Invalid credentials
• Registered email + correct password → 200 Login successful (unchanged)
• The trailing space in the original 'Email is invalid ' string (a latent bug) is also removed.

Regression check

Only passportConfig.js is modified. No route handlers, middleware, session logic, or tests are changed. The successful login path (return done(null, { id, username, email })) is untouched.

Please review and merge this under GSSoC 2026.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	bd65ba5
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a11bc14f9b5e90008e308e0
😎 Deploy Preview	https://deploy-preview-458--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Review limit reached

@advikdivekar, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 56 minutes and 29 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: efdfe92c-1355-4d51-a3cf-88014d6b26ab

📥 Commits

Reviewing files that changed from the base of the PR and between 373dde2 and bd65ba5.

📒 Files selected for processing (1)

• backend/config/passportConfig.js

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Review failed

An error occurred during the review process. Please try again later.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[advikdivekar]

@mehul-m-prajapati why was my code not merged? did i make any mistakes in my code? please let me know