Username enumeration in login form

[fleaz]

Data

• Shiori version: 1.5.4
• Database Engine: sqlite
• Operating system: Linux
• CLI/Web interface/Web Extension: Web

Describe the bug / actual behavior

Depending on if you use a existing or non existing username to log in, you get different error messages. That's a (rather small) security risk, because an attacker can identify valid usernames before e.g. trying to bruteforce them.

There is also not CSRF-Token used for the login form (thanks to @mweinelt for this finding!) which means I could easily hammer the login form with a simple for-loop and curl combination in a bash script.

Expected behavior

Shiori should always return a generic "Invalid username or password" message in the login form.
Shiori should use a CSRF token to make the login more secure and harder to brute force.

To Reproduce

Steps to reproduce the behavior:

1. Go to the login page
2. Try logging in with an existing username but a wrong password
3. Try logging in with a nonexisting username

Notes

% curl 'https://bookmarks.fleaz.me/api/login' -X POST  -d '{"username":"fleaz","password":"asd","remember":false}'
username and password don't match

% curl 'https://bookmarks.fleaz.me/api/login' -X POST  -d '{"username":"fleazz","password":"asd","remember":false}'
sql: no rows in result set