Improve Error Message on Login

[lautarodragan]

Login currently returns Resource Not Found for anything that isn't a success case, for example:

• If the account doesn't exist
• If the account exists but the password doesn't match
• If any error at all is thrown

frost-api/src/api/accounts/Login.ts

Lines 18 to 39 in 58135e7

	export const Login = (verifiedAccount: boolean, pwnedCheckerRoot: string) => async (ctx: any, next: any) => {
	const logger = ctx.logger(__dirname)
	const { ResourceNotFound } = errors
	try {
	const user = ctx.request.body
	const usersController = new AccountsController(ctx.logger, verifiedAccount, pwnedCheckerRoot)
	const response = await usersController.get(user.email)
	if (isNil(response)) {
	ctx.status = ResourceNotFound.code
	ctx.body = ResourceNotFound.message
	} else {
	await verify(user.password, response.password)
	const token = await getToken(user.email, Token.Login)
	ctx.body = { token, issuer: response.issuer }
	}
	} catch (exception) {
	logger.error({ exception }, 'api.Login')
	ctx.throw(ResourceNotFound.code, ResourceNotFound.message)
	}
	}

For the first and second case, return a different, more explicit message in: No account matching email and password found.. The same message must be returned in both cases to mitigate brute force attacks that try and guess users' emails.

In the case an error is thrown, omit the try/catch block here, let the error middleware take care of it.

Should become something like the following code.

  const user = ctx.request.body
  const usersController = new AccountsController(ctx.logger, verifiedAccount, pwnedCheckerRoot)
  const response = await usersController.get(user.email)

  if (!response)
    throw new AccountNotFound()
    
  const passwordsMatch = await verify(user.password, response.password) // if we refactor verify

  if (!passwordsMatch)
    throw new AccountNotFound()

  const token = await getToken(user.email, Token.Login)
  ctx.body = { token, issuer: response.issuer }