bogus "Couldn't authenticate user: Invalid username/password" error

[Dieterbe]

trying to connect with a valid user and pass, but incorrect database specified, yields "Couldn't authenticate user: Invalid username/password" error.
this wording is very confusing, arguably incorrect. maybe it should say something like "Could not authenticate with user/pass on database"

I've noticed this with both the admin web interface, as well as the python client.

[Dieterbe]

if the db doesn't even exist, maybe the error should just be "this database doesn't exist"

[jvshahid]

I'm worried that someone can use the error message to detect valid database names. InfluxDB is built to be a multitenant database, this error message leaks information that could potentially be a security risk. That's my opinion, I'm happy to hear other's opinion on this.

[pauldix]

I could go either way on this. On the one hand, better error messages is better usability. But I see the potential security issue. Maybe we should optimize for usability? For those that care about security, they probably won't be exposing InfluxDB directly to the net anyway. Thus they'll have a proxy that everything has to go through and they can hide things there.

[Dieterbe]

ok so maybe no "this database doesn't exist" messages. but then at least we can say "the user/password/database combination is incorrect", which reveals nothing, yet is clearer that it can be any of those 3 that's wrong.

[jvshahid]

Ok, that's doable. Moving this to 0.5.6

[malthe]

Not sure if this is related, but I get some strange characters in that error message:

[jvshahid]

@malthe This issue is closed and is not related. can you you trace the request using tcpdump or wireshark and send the reuslts on the mailing list with the error you're getting. I'm suspecting this has something to do with compression.

[malthe]

@jvshahid – I have started a new topic on the mailing list and attached the wireshark dump.