From 9bcef6b5ea4e28c17b7897a4ebce2d1aa73d6a2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 23 Mar 2026 09:43:15 -0400
Subject: [PATCH] fix: #14116, don't return ban reason if login credentials are
 incorrect

---
 src/controllers/authentication.js | 19 +++++++++----------
 test/user.js                      | 11 +++++++++++
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index 63c551c5af..fab6b8d8cc 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -409,21 +409,20 @@ authenticationController.localLogin = async function (req, username, password, n
 
 		userData.isAdminOrGlobalMod = isAdminOrGlobalMod;
 
-		if (!canLoginIfBanned) {
-			return next(await getBanError(uid));
-		}
-
-		// Doing this after the ban check, because user's privileges might change after a ban expires
-		const hasLoginPrivilege = await privileges.global.can('local:login', uid);
-		if (parseInt(uid, 10) && !hasLoginPrivilege) {
-			return next(new Error('[[error:local-login-disabled]]'));
-		}
-
 		try {
 			const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip);
 			if (!passwordMatch) {
 				return next(new Error('[[error:invalid-login-credentials]]'));
 			}
+			if (!canLoginIfBanned) {
+				return next(await getBanError(uid));
+			}
+
+			// Doing this after the ban check, because user's privileges might change after a ban expires
+			const hasLoginPrivilege = await privileges.global.can('local:login', uid);
+			if (parseInt(uid, 10) && !hasLoginPrivilege) {
+				return next(new Error('[[error:local-login-disabled]]'));
+			}
 		} catch (e) {
 			if (req.loggedIn) {
 				await logoutAsync(req);
diff --git a/test/user.js b/test/user.js
index 3eb85d83ed..f6619bd651 100644
--- a/test/user.js
+++ b/test/user.js
@@ -1394,6 +1394,17 @@ describe('User', () => {
 			assert.strictEqual(await db.isSortedSetMember('users:banned', testUid), false);
 		});
 
+		it('should not return ban reason if login is incorrect', async () => {
+			const testUid = await User.create({ username: 'bannedUser4', password: '654321' });
+			await User.bans.ban(testUid, 0, 'testing bans');
+			let { response, body } = await helpers.loginUser('bannedUser4', '5555555');
+			assert.strictEqual(response.status, 403);
+			assert.strictEqual(body, '[[error:invalid-login-credentials]]');
+
+			({ response, body } = await helpers.loginUser('bannedUser4', '654321'));
+			assert.strictEqual(response.status, 403);
+			assert.strictEqual(body.reason, 'testing bans');
+		});
 	});
 
 	describe('Digest.getSubscribers', () => {