don't audit log missing username or password, change query param value

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>

internal/federationdomain/endpoints/auth/auth_handler.go

@@ -257,7 +257,6 @@ func (h *authorizeHandler) authorizeWithoutBrowser(
 				ReqCtx: r.Context(),
 			})
 		}
-
 		return err
 	}
 

internal/federationdomain/endpoints/login/get_login_handler_test.go

@@ -47,13 +47,13 @@ func TestGetLogin(t *testing.T) {
 			wantBody:        testutil.ExpectedLoginPageHTML(loginhtml.CSS(), testUpstreamName, testPath, testEncodedState, ""), // no alert message
 		},
 		{
-			name: "displays error banner when err=login_error param is sent",
+			name: "displays error banner when err=incorrect_username_or_password param is sent",
 			decodedState: &oidc.UpstreamStateParamData{
 				UpstreamName: testUpstreamName,
 				UpstreamType: testUpstreamType,
 			},
 			encodedState:    testEncodedState,
-			errParam:        "login_error",
+			errParam:        "incorrect_username_or_password",
 			wantStatus:      http.StatusOK,
 			wantContentType: htmlContentType,
 			wantBody: testutil.ExpectedLoginPageHTML(loginhtml.CSS(), testUpstreamName, testPath, testEncodedState,

internal/federationdomain/endpoints/login/login_handler_test.go

@@ -363,7 +363,7 @@ func TestLoginEndpoint(t *testing.T) {
 			wantAuditLogs: func(encodedStateParam stateparam.Encoded) []testutil.WantedAuditLog {
 				return []testutil.WantedAuditLog{
 					testutil.WantAuditLog("HTTP Request Parameters", map[string]any{
-						"params": map[string]any{"state": "redacted", "err": "login_error"},
+						"params": map[string]any{"state": "redacted", "err": "incorrect_username_or_password"},
 					}),
 					testutil.WantAuditLog("AuthorizeID From Parameters", map[string]any{
 						"authorizeID": encodedStateParam.AuthorizeID(),

internal/federationdomain/endpoints/login/post_login_handler.go

@@ -77,10 +77,6 @@ func NewPostHandler(
 
 		// Treat blank username or password as a bad username/password combination, as opposed to an internal error.
 		if submittedUsername == "" || submittedPassword == "" {
-			auditLogger.Audit(auditevent.IncorrectUsernameOrPassword, &plog.AuditParams{
-				ReqCtx: r.Context(),
-			})
-
 			// User forgot to enter one of the required fields.
 			// The user may try to log in again if they'd like, so redirect back to the login page with an error.
 			return redirectToLoginPage(r, w, issuerURL, encodedState, loginurl.ShowBadUserPassErr)

internal/federationdomain/endpoints/login/post_login_handler_test.go

@@ -64,7 +64,7 @@ func TestPostLoginEndpoint(t *testing.T) {
 
 		userParam                = "username"
 		passParam                = "password"
-		badUserPassErrParamValue = "login_error"
+		badUserPassErrParamValue = "incorrect_username_or_password"
 		internalErrParamValue    = "internal_error"
 
 		transformationUsernamePrefix = "username_prefix:"
@@ -942,17 +942,6 @@ func TestPostLoginEndpoint(t *testing.T) {
 			wantContentType:              htmlContentType,
 			wantBodyString:               "",
 			wantRedirectToLoginPageError: badUserPassErrParamValue,
-			wantAuditLogs: func(sessionID string) []testutil.WantedAuditLog {
-				return []testutil.WantedAuditLog{
-					testutil.WantAuditLog("Using Upstream IDP", map[string]any{
-						"displayName":  "some-ldap-idp",
-						"resourceName": "some-ldap-idp",
-						"resourceUID":  "ldap-resource-uid",
-						"type":         "ldap",
-					}),
-					testutil.WantAuditLog("Incorrect Username Or Password", map[string]any{}),
-				}
-			},
 		},
 		{
 			name:                         "blank password LDAP login",
@@ -963,17 +952,6 @@ func TestPostLoginEndpoint(t *testing.T) {
 			wantContentType:              htmlContentType,
 			wantBodyString:               "",
 			wantRedirectToLoginPageError: badUserPassErrParamValue,
-			wantAuditLogs: func(sessionID string) []testutil.WantedAuditLog {
-				return []testutil.WantedAuditLog{
-					testutil.WantAuditLog("Using Upstream IDP", map[string]any{
-						"displayName":  "some-ldap-idp",
-						"resourceName": "some-ldap-idp",
-						"resourceUID":  "ldap-resource-uid",
-						"type":         "ldap",
-					}),
-					testutil.WantAuditLog("Incorrect Username Or Password", map[string]any{}),
-				}
-			},
 		},
 		{
 			name:                         "username and password sent as URI query params should be ignored since they are expected in form post body",

internal/federationdomain/endpoints/loginurl/login_url.go

@@ -18,7 +18,7 @@ const (
 
 	ShowNoError        ErrorParamValue = ""
 	ShowInternalError  ErrorParamValue = "internal_error"
-	ShowBadUserPassErr ErrorParamValue = "login_error"
+	ShowBadUserPassErr ErrorParamValue = "incorrect_username_or_password"
 )
 
 type ErrorParamValue string

test/testlib/browsertest/browsertest.go

@@ -584,7 +584,7 @@ func WaitForUpstreamLDAPLoginPageWithError(t *testing.T, b *Browser, issuer stri
 
 	// Wait for redirect back to the login page again with an error.
 	t.Logf("waiting for redirect to back to login page with error message")
-	loginURLRegexp, err := regexp.Compile(`\A` + regexp.QuoteMeta(issuer+"/login") + `\?err=login_error&state=.+\z`)
+	loginURLRegexp, err := regexp.Compile(`\A` + regexp.QuoteMeta(issuer+"/login") + `\?err=incorrect_username_or_password&state=.+\z`)
 	require.NoError(t, err)
 	b.WaitForURL(t, loginURLRegexp)