Project

General

Profile

Actions
Copy link

BUG #4190

open

BUG #4242: [SQA] : Agency Authentication

BUG #4244: [SQA] : Functional>> Agency Authentication

[SQA] Specified sign-in error messages reveal credential validity instead of using generic message

Added by Tasfia Zaima 2 months ago. Updated 28 days ago.

Status:
Complete
Priority:
High
Assignee:
Tasfia Zaima
Target version:
sprint 04
Start date:
02/03/2026
Due date:
% Done:

100%

Estimated time:
Spent time:
1:15 h

Description

Issue Description
On the Admin Profile Sign In page in the staging environment, the system displays different error messages based on whether the email or password is incorrect:

  • Incorrect email → “User not found”
  • Incorrect password → “The password provided is incorrect”

This behavior reveals which credential is invalid.
However, according to the Lovable design, a single generic error message should be shown to avoid information disclosure and maintain better security practices.

Module / Page
Admin Profile → Sign In

Module Section
Authentication / Error Messaging

Screen Size
Desktop

Tested By
Tasfia Zaima

Steps to Reproduce

  1. Navigate to the Admin Profile Sign In page in the staging environment.
  2. Enter an incorrect email with any password and click Sign In.
  3. Observe the alert message.
  4. Enter a registered email with an incorrect password and click Sign In.
  5. Compare both messages with the Lovable design.

Expected Result
A single generic error message should be displayed regardless of whether the email or password is incorrect:
“Username or password is incorrect.”
This prevents exposing which credential is invalid and improves security.

Actual Result
Different error messages are shown depending on the incorrect input, revealing whether the email or password is wrong.

Attachments
PoC

Types of Issue

Functional Issue

Root Cause:

Impacted Area:

Actions
Copy link
 #1

Updated by Nazmul Hossain Shovon 2 months ago

  • Assignee changed from Ayat Rahman to Nazmul Hossain Shovon
Actions
Copy link
 #2

Updated by Al Arafat Siddique 2 months ago

  • Assignee changed from Nazmul Hossain Shovon to Al Arafat Siddique
  • Parent task set to #4244
Actions
Copy link
 #3

Updated by Al Arafat Siddique about 2 months ago

  • Assignee changed from Al Arafat Siddique to Tasfia Zaima
Actions
Copy link
 #4

Updated by Ayat Rahman about 1 month ago

  • % Done changed from 0 to 100
Actions
Copy link
 #5

Updated by Aman Bhuiyan 30 days ago · Edited

  • Assignee changed from Tasfia Zaima to Ayat Rahman

The issue persists: the system still displays the specific error “Email is not found in our system” instead of the intended generic message “Email or password is incorrect,” which compromises security by revealing credential validity.

Actions
Copy link
 #6

Updated by Tasfia Zaima 29 days ago

Instead of "*Username or password is incorrect." - the expected result is "*Email or password is incorrect." as there is no username field label here

Actions
Copy link
 #7

Updated by Ayat Rahman 28 days ago

  • Assignee changed from Ayat Rahman to Tasfia Zaima
Actions
Copy link
 #8

Updated by Tasfia Zaima 28 days ago

  • Status changed from Pending to Complete
Actions
Copy link

Also available in: Atom PDF