Unify authentication error messages to prevent username enumeration

[15921483570]

packages/hydrooj/src/error.ts:

用户名以及密码错误均使用“用户名或密码错误”，防止用户名被枚举+密码爆破导致后台被控制。

---

packages/hydrooj/locales/zh.yaml:

增加翻译：
Invalid username or password.: 用户名或密码错误。

Summary by CodeRabbit

• Bug Fixes
  • Authentication error messages for login failures are now consistent and generic across scenarios.
• Localization
  • Added Chinese translation for the generic login failure message.

[coderabbitai]

Walkthrough

The PR standardizes authentication failure messaging: LoginError message changed from a password-specific string to "Invalid username or password." UserNotFoundError now constructs an error with code "LoginError", class ForbiddenError, and the same generic message (previously a distinct "UserNotFoundError" with NotFoundError and a username-including message). A Chinese localization entry "用户名或密码错误。" was added.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review impact of changing UserNotFoundError code from "UserNotFoundError" to "LoginError" on callers, logging, metrics, and error handling.
• Verify the switch from NotFoundError to ForbiddenError does not break upstream error type checks or HTTP response expectations.
• Confirm tests (if any) and monitoring/alerting rules are updated to reflect the new error code/class.
• Validate localization key usage and encoding for the added Chinese entry.

Suggested reviewers

• undefined-moe

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Unify authentication error messages to prevent username enumeration' clearly and accurately summarizes the main change: consolidating login error messages to hide whether a username exists, thereby preventing username enumeration attacks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f846650 and f159c74.

📒 Files selected for processing (1)

• packages/hydrooj/src/error.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/hydrooj/src/error.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript)
• GitHub Check: build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7f7bff9 and f846650.

📒 Files selected for processing (2)

• packages/hydrooj/locales/zh.yaml (1 hunks)
• packages/hydrooj/src/error.ts (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

packages/hydrooj/src/error.ts (1)

framework/framework/error.ts (2)

• ForbiddenError (50-50)
• NotFoundError (51-51)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript)
• GitHub Check: build

🔇 Additional comments (2)

packages/hydrooj/locales/zh.yaml (1)

428-428: LGTM! Translation is accurate.

The Chinese translation "用户名或密码错误。" correctly conveys "Invalid username or password." and aligns with the security improvements in the error handling code.

packages/hydrooj/src/error.ts (1)

15-15: LGTM! Good security improvement.

The generic error message "Invalid username or password." prevents information leakage about valid usernames and aligns with the PR's security objectives.

[undefined-moe]

If users password is strong enough, it makes non-sense to brute-force password.
If not, hiding username existance also makes non-sense. The person who use 123456 as password will likely use admin / root as username.

Doing this only annoys those who actually have variants of usernames used on different platforms (and they might forget their username if not active for a period)

If you want better security, either update the password rule, or setup 2fa instead.