Context - why is this issue relevant?
The playground currently exposes different login error messages (invalid password / user not found).
This allows user enumeration and does not follow authentication security best practices.
Objective – what is the aim of this issue?
Replace login error messages with a single generic message that does not reveal whether a user exists or if the password is incorrect.
Expected outcomes – what do we expect at the end of this issue (concrete outcomes)?
Outcomes
- All authentication failures return the same generic error message.
- The frontend no longer exposes whether a user exists.
Acceptance criteria
- Invalid username and invalid password return the same error message.
- No authentication error message reveals user existence.
- Existing tests are updated or added to cover this behavior.
Context - why is this issue relevant?
The playground currently exposes different login error messages (
invalid password/user not found).This allows user enumeration and does not follow authentication security best practices.
Objective – what is the aim of this issue?
Replace login error messages with a single generic message that does not reveal whether a user exists or if the password is incorrect.
Expected outcomes – what do we expect at the end of this issue (concrete outcomes)?
Outcomes
Acceptance criteria