Sravan/BizGaze_Remote
0
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added Username or password do not match" + lockout warning

Browse Source
This commit is contained in:
Sravan
2026-06-12 01:13:31 +05:30
parent ba8bfc3f46
commit d045847a59
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/routes.js
+11 -1
View File
@@ -65,12 +65,22 @@ route('POST', '/api/login', async (req, res) => {
if (existing && existing.active === 0) return json(res, 403, { error: 'This account has been deactivated' });
let u = (existing && A.verifyPassword(password, existing.pw_salt, existing.pw_hash)) ? existing : null;
let bzMsg = null;
if (!u) {
const bz = await BZ.validateLogin(email, password);
if (bz.ok) u = provisionFromBizgaze(email, bz);
else if (bz.error) return json(res, 503, { error: bz.error });
else bzMsg = bz.message || null; // BizGaze was configured and rejected the credentials
}
if (!u) {
// Specific feedback where we can be truthful:
if (existing) return json(res, 401, { error: 'Incorrect password. Please try again.' });
// No local account. BizGaze (the identity provider) doesn't reveal whether an email
// exists, so when it rejects we surface its own message (covers wrong password +
// any lockout warning). Only when BizGaze isn't in play can we say "not registered".
if (bzMsg) return json(res, 401, { error: bzMsg });
return json(res, 404, { error: 'This email is not registered.' });
}
if (!u) return json(res, 401, { error: 'invalid credentials' });
const tok = A.token();
const ttl = remember ? 1000 * 60 * 60 * 24 * 30 : SESSION_TTL; // 30 days if remembered, else 24h