From 8943b6431024f851b9520cf25ddf78953b001205 Mon Sep 17 00:00:00 2001
From: Henri Wahl <2835065+HenriWahl@users.noreply.github.com>
Date: Wed, 12 Oct 2022 23:27:24 +0200
Subject: [PATCH] avoid login error meassage information leak

---
 doko3000/misc.py | 1 +
 doko3000/web.py  | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/doko3000/misc.py b/doko3000/misc.py
index 3e47af4..7b61263 100644
--- a/doko3000/misc.py
+++ b/doko3000/misc.py
@@ -2,6 +2,7 @@
 
 ACCEPTED_JSON_MIMETYPES = ['*/*', 'text/javascript', 'application/json']
 
+MESSAGE_LOGIN_FAILURE = "Login-Fehler"
 
 def is_xhr(request):
     """
diff --git a/doko3000/web.py b/doko3000/web.py
index 83a8e09..1525359 100644
--- a/doko3000/web.py
+++ b/doko3000/web.py
@@ -21,7 +21,8 @@
 from .game import Deck, \
     Game
 from .misc import get_hash, \
-    is_xhr
+    is_xhr, \
+    MESSAGE_LOGIN_FAILURE
 
 # needed for ajax detection
 ACCEPTED_JSON_MIMETYPES = ['*/*', 'text/javascript', 'application/json']
@@ -995,12 +996,12 @@ def login():
         player = game.get_player(request.values['name'])
         if player:
             if not player.check_password(request.values['password']):
-                flash('Falsches Passwort :-(')
+                flash(MESSAGE_LOGIN_FAILURE)
             else:
                 login_user(player, remember=True)
                 return redirect(url_for('index'))
         else:
-            flash('Spieler nicht bekannt :-(')
+            flash(MESSAGE_LOGIN_FAILURE)
     # got to login if not logged in
     return render_template('login.html',
                            title=f"{app.config['TITLE']} Login")