Sentry 2 "A user was found to match all plain text credentials however hashed credential [password] did not match."

Question

I'm getting this error when a username matches, but a password doesn't. Which is good if you want a hacker to find they're using the correct email address to log in and can keep guessing the password.

What I would like to know is, how do I stop this message from showing up when they have entered a correct address, but wrong password?

In my View, I just have this...

@if($errors->has('login'))
            <div class="alert alert-danger">{{ $errors->first('login', ':message') }}</div>
        @endif

I'm using Sentry's default configuration, is there something I could just set to false so this message doesn't show? I would like it to show all the other error messages, just not this one as it's a pretty big security risk.

Any help on this would be grateful.

Answer 1

The docs for sentry (and I would) recommend using a try catch on the server side validation routine instead. Sentry Documentation

Specifically catch the Cartalyst\Sentry\Users\WrongPasswordException and set your own error message

try
{
// Set login credentials
$credentials = array(
    'email'    => 'john.doe@example.com',
    'password' => 'test',
);

// Try to authenticate the user
$user = Sentry::authenticate($credentials, false);
}
catch (Cartalyst\Sentry\Users\WrongPasswordException $e)
{
 echo 'Wrong Login Info, try again.';
}