Merge pull request 'Do not render a different view when user is found but password invalid' (#87) from fabientot/guichet:prevent-bruteforce-on-login-form into main

Reviewed-on: Deuxfleurs/guichet#87

main.go

@@ -237,8 +237,6 @@ func handleLogout(w http.ResponseWriter, r *http.Request) {
 // --- Login Controller ---
 type LoginFormData struct {
 	Username     string
-	WrongUser    bool
-	WrongPass    bool
 	ErrorMessage string
 }
 
@@ -266,10 +264,9 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 			data := &LoginFormData{
 				Username: username,
 			}
-			if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) {
-				data.WrongPass = true
-			} else if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
-				data.WrongUser = true
+			if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) ||
+				ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
+				data.ErrorMessage = "Le mot de passe et identifiant ne correspondent pas."
 			} else {
 				data.ErrorMessage = err.Error()
 			}

templates/login.html

@@ -4,15 +4,9 @@
 <h4>S'identifier</h4>
 
 <form method="POST">
-  {{if .WrongUser}}
-    <div class="alert alert-danger">Identifiant invalide.</div>
-  {{end}}
-  {{if .WrongPass}}
-    <div class="alert alert-danger">Mot de passe invalide.</div>
-  {{end}}
-  {{if .ErrorMessage}}
+  {{ with .ErrorMessage}}
     <div class="alert alert-danger">Impossible de se connecter.
-      <div style="font-size: 0.8em">{{ .ErrorMessage }}</div>
+      <div style="font-size: 0.8em">{{ . }}</div>
     </div>
   {{end}}
   <div class="form-group">