From d5945d25f9e449f7bbbfd1e84f129991f45f95e4 Mon Sep 17 00:00:00 2001
From: Emile-Hugo SPIR <emile.spir@datadoghq.com>
Date: Fri, 28 Jul 2023 14:22:46 +0200
Subject: [PATCH 1/2] Proprerly tag whether a user is present or not

---
 routes/login.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routes/login.ts b/routes/login.ts
index 174fe8f46..63761f58b 100644
--- a/routes/login.ts
+++ b/routes/login.ts
@@ -38,7 +38,7 @@ module.exports = function login () {
       .then((authenticatedUser: { data: User }) => { // vuln-code-snippet neutral-line loginAdminChallenge loginBenderChallenge loginJimChallenge
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
-          tracer.appsec.trackUserLoginFailureEvent(req.body.email || '', false, {
+          tracer.appsec.trackUserLoginFailureEvent(req.body.email || '', true, {
             reason: 'missing_2fa'
           })
           res.status(401).json({
@@ -58,7 +58,7 @@ module.exports = function login () {
 
           afterLogin(user, res, next)
         } else {
-          tracer.appsec.trackUserLoginFailureEvent(req.body.email || '', false, {})
+          tracer.appsec.trackUserLoginFailureEvent(req.body.email || '', !!user.data?.id, {})
           res.status(401).send(res.__('Invalid email or password.'))
         }
       }).catch((error: Error) => {

From 548f2b4d13c6574f783049966b1695b75f02831a Mon Sep 17 00:00:00 2001
From: Emile-Hugo SPIR <emile.spir@datadoghq.com>
Date: Fri, 28 Jul 2023 15:33:44 +0200
Subject: [PATCH 2/2] Fix the fix

---
 routes/login.ts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/routes/login.ts b/routes/login.ts
index 63761f58b..74b24a01b 100644
--- a/routes/login.ts
+++ b/routes/login.ts
@@ -58,8 +58,14 @@ module.exports = function login () {
 
           afterLogin(user, res, next)
         } else {
-          tracer.appsec.trackUserLoginFailureEvent(req.body.email || '', !!user.data?.id, {})
-          res.status(401).send(res.__('Invalid email or password.'))
+          models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND deletedAt IS NULL`, { model: UserModel, plain: true })
+            .then((authenticatedUser: { data: User }) => {
+              const hasUser = !!utils.queryResultToJson(authenticatedUser).data?.id
+              tracer.appsec.trackUserLoginFailureEvent(req.body.email || '', hasUser, {})
+              res.status(401).send(res.__('Invalid email or password.'))
+            }).catch((error: Error) => {
+              next(error)
+            })
         }
       }).catch((error: Error) => {
         next(error)