justin at gnubia.net
Sat Apr 26 12:23:14 EDT 2003
> Maybe you want to produce more detailed errors why the auth failed. I.e. when
> you have several services and a user isn't subscribed to one of them you'll
> get an "unknown user" error, I think you should get a different error saying
> something about "service subscribtion" if the user is subscribed to other
> services on the same server.
This is an arguable point..
Consider, from a security standpoint, that an attacker is trying to
brute-force your server. 'service subscription' error says 'you have
correctly guessed a username, but are attempting to access the wrong
service'. Having a valid username is much closer to a username/password
pair than not having a valid username.. ;p
Perhaps it should be configurable to behave both ways.
More information about the Twisted-Python