feat: mask password in telegram notification on 2FA failure (#3884)

author: Aleksei Sidorenko <88515338+rydve@users.noreply.github.com> 2026-03-04 20:26:53 +0300
committer: GitHub <noreply@github.com> 2026-03-04 20:26:53 +0300
commit: a2097ad06218d49f5aad20254b7bb8c2a9fc0e03 (patch)
tree: e6301703482c51bc06a1e6471f251249810bb8c8 /web/service
parent: 52fdf5d4296b4534e25d6221d82ec7d819a9b952 (diff)
1 files changed, 9 insertions, 11 deletions
diff --git a/web/service/user.go b/web/service/user.go
index 1bde69f6..0a2a3f3e 100644
--- a/web/service/user.go
+++ b/web/service/user.go
@@ -33,7 +33,7 @@ func (s *UserService) GetFirstUser() (*model.User, error) {
 	return user, nil
 }
 
-func (s *UserService) CheckUser(username string, password string, twoFactorCode string) *model.User {
+func (s *UserService) CheckUser(username string, password string, twoFactorCode string) (*model.User, error) {
 	db := database.GetDB()
 
 	user := &model.User{}
@@ -43,17 +43,16 @@ func (s *UserService) CheckUser(username string, password string, twoFactorCode
 		First(user).
 		Error
 	if err == gorm.ErrRecordNotFound {
-		return nil
+		return nil, errors.New("invalid credentials")
 	} else if err != nil {
 		logger.Warning("check user err:", err)
-		return nil
+		return nil, err
 	}
 
-	// If LDAP enabled and local password check fails, attempt LDAP auth
 	if !crypto.CheckPasswordHash(user.Password, password) {
 		ldapEnabled, _ := s.settingService.GetLdapEnable()
 		if !ldapEnabled {
-			return nil
+			return nil, errors.New("invalid credentials")
 		}
 
 		host, _ := s.settingService.GetLdapHost()
@@ -77,15 +76,14 @@ func (s *UserService) CheckUser(username string, password string, twoFactorCode
 		}
 		ok, err := ldaputil.AuthenticateUser(cfg, username, password)
 		if err != nil || !ok {
-			return nil
+			return nil, errors.New("invalid credentials")
 		}
-		// On successful LDAP auth, continue 2FA checks below
 	}
 
 	twoFactorEnable, err := s.settingService.GetTwoFactorEnable()
 	if err != nil {
 		logger.Warning("check two factor err:", err)
-		return nil
+		return nil, err
 	}
 
 	if twoFactorEnable {
@@ -93,15 +91,15 @@ func (s *UserService) CheckUser(username string, password string, twoFactorCode
 
 		if err != nil {
 			logger.Warning("check two factor token err:", err)
-			return nil
+			return nil, err
 		}
 
 		if gotp.NewDefaultTOTP(twoFactorToken).Now() != twoFactorCode {
-			return nil
+			return nil, errors.New("invalid 2fa code") 
 		}
 	}
 
-	return user
+	return user, nil
 }
 
 func (s *UserService) UpdateUser(id int, username string, password string) error {
author	Aleksei Sidorenko <88515338+rydve@users.noreply.github.com>	2026-03-04 20:26:53 +0300
committer	GitHub <noreply@github.com>	2026-03-04 20:26:53 +0300
commit	a2097ad06218d49f5aad20254b7bb8c2a9fc0e03 (patch)
tree	e6301703482c51bc06a1e6471f251249810bb8c8 /web/service
parent	52fdf5d4296b4534e25d6221d82ec7d819a9b952 (diff)