ENG-3370: Fix incorrect error message on login with bad credentials (#7882)

gilluminate · claude · gilluminate · commit bf1ae9677994 · 2026-04-09T15:09:47.000-06:00
Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/changelog/7882-fix-login-error-message.yaml b/changelog/7882-fix-login-error-message.yaml
@@ -0,0 +1,4 @@
+type: Fixed
+description: Fixed login page showing SSO configuration error instead of generic login failure message when entering incorrect credentials
+pr: 7882
+labels: []
diff --git a/clients/admin-ui/src/pages/login.tsx b/clients/admin-ui/src/pages/login.tsx
@@ -168,22 +168,25 @@ const useLogin = () => {
       dispatch(login(user));
     } catch (error) {
       setShowAnimation(false);
-      // eslint-disable-next-line no-console
-      console.log(error);
-      let defaultErrorMsg: string;
+      console.error(error);
+      let errorMsg: string;
       if (isFromInvite) {
-        defaultErrorMsg = "Setup failed. Please try the invite link again.";
+        // Invite and reset-password flows may surface backend error detail
+        // (e.g. expired/invalid token) since it is actionable to the user.
+        errorMsg = getErrorMessage(
+          error as RTKErrorResult["error"],
+          "Setup failed. Please try the invite link again.",
+        );
       } else if (isResetPassword) {
-        defaultErrorMsg =
-          "Password reset failed. The link may have expired. Please request a new one.";
+        errorMsg = getErrorMessage(
+          error as RTKErrorResult["error"],
+          "Password reset failed. The link may have expired. Please request a new one.",
+        );
       } else {
-        defaultErrorMsg =
-          "Login failed. Please check your credentials and try again.";
+        // Always show a generic message for standard login failures to avoid
+        // leaking backend details (SSO config, authorization state, etc.)
+        errorMsg = "Login failed. Please check your credentials and try again.";
       }
-      const errorMsg = getErrorMessage(
-        error as RTKErrorResult["error"],
-        defaultErrorMsg,
-      );
       message.error(errorMsg);
     } finally {
       setIsSubmitting(false);
