box: run box.session.on_auth triggers if the user doesn't exist
The triggers are supposed to run on any authentication attempt, successful or not. Without it, the admin may not notice a malefactor enumerating user names. Closes #8017 NO_DOC=bug fix (cherry picked from commit 8a2f1653)
Showing
- changelogs/unreleased/gh-8017-on-auth-no-such-user.md 4 additions, 0 deletionschangelogs/unreleased/gh-8017-on-auth-no-such-user.md
- src/box/authentication.cc 11 additions, 7 deletionssrc/box/authentication.cc
- src/box/authentication.h 19 additions, 5 deletionssrc/box/authentication.h
- src/box/lua/session.c 3 additions, 3 deletionssrc/box/lua/session.c
- test/box-luatest/gh_8017_on_auth_no_such_user_test.lua 59 additions, 0 deletionstest/box-luatest/gh_8017_on_auth_no_such_user_test.lua
Loading
Please register or sign in to comment