0

I want different message for wrong password and wrong username?? How to detect from response whether wrong username or wrong password??

auth = aiohttp.BasicAuth(username, password)
with aiohttp.ClientSession(loop=loop, auth=auth) as client:
client.post(Some_data) as response
jayashri sathe
  • 75
  • 1
  • 7
  • If the server doesn't tell you, you just don't know. And a sensible server won't tell you, since that allows an attacker to narrow down possible credentials more quickly. – deceze Sep 10 '19 at 09:33
  • Not sure about that API, im not into python neither, but well done API's usually do have a response/status code. If the server provides it (doesnt fake it) you could check it https://en.wikipedia.org/wiki/List_of_HTTP_status_codes – Cleptus Sep 10 '19 at 09:48
  • If i print respose.status then it is same (401) for wrong password as well for wrong username – jayashri sathe Sep 10 '19 at 10:01
  • 1
    Usually 401 means "Your credentials are wrong", but it is not inteded to disclose what is wrong, if the user or the password. IMHO it should never disclose that information because it could help attackers (hackers/pentesters). If the response body does not have extra info, you cannot know. – Cleptus Sep 10 '19 at 10:11

1 Answers1

0

Odoo is not providing this information on login. Internally (backend resp. application server) it is just getting a user ID if login and password are both correct or False if something is wrong. So Odoo isn't even providing the information at the backend level.

CZoellner
  • 13,553
  • 3
  • 25
  • 38