From ff898726a6a5e3947c83e553c4697d3e3c5d405f Mon Sep 17 00:00:00 2001
From: Wallun <wallun@disroot.org>
Date: Tue, 23 Jun 2026 15:43:34 +0200
Subject: [PATCH] refactor(login): sanitize failed login error message

prevents leaking the fact a user exists when entered password is invalid

Closes #2437
---
 src/apps/profiles/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/apps/profiles/views.py b/src/apps/profiles/views.py
index 81c8dc1de..161fd5ffe 100644
--- a/src/apps/profiles/views.py
+++ b/src/apps/profiles/views.py
@@ -290,7 +290,7 @@ def log_in(request):
             try:
                 user = User.objects.get((Q(username=username) | Q(email=username)) & Q(is_deleted=False))
             except User.DoesNotExist:
-                messages.error(request, "User does not exist!")
+                messages.error(request, "Invalid login/password")
             else:
                 # Authenticate user with credentials
                 user = authenticate(username=username, password=password)
@@ -307,7 +307,7 @@ def log_in(request):
                     else:
                         context['activation_error'] = "Your account is not activated. Please check your email for the activation link"
                 else:
-                    messages.error(request, "Wrong Credentials!")
+                    messages.error(request, "Invalid login/password")
         else:
             context['form'] = form