I'm trying to test out One Time Token Authentication and I came across an issue. If I tried to login with a user that was not in the system I would get taken back to the login screen and the username would be displayed as an error above both the form login and ott login.
If I logged in with a user that was available in Spring Security everything worked as expected.
Comment From: rwinch
Thanks for this report @danvega! The error message should still be a generic failed to authenticate error message so we don't leak any information about the users that exist or don't. However, I agree that this should not be displaying the username as the error message.
Comment From: Tejas-Teju
Update: I can confirm the issue persists.
I did not know that OTT could be generated for users who aren't in the system.
Hey @danvega
spring-boot-starter-security: v3.4.2
I double-checked the above scenario. I didn't come across this issue. Let me know if I am missing something.
Steps:
1. Generate a token for the default "user" from the /login page
2. Provide an invalid ott-token at the /login/ott page
Output:
