Browse Source
fix: prevent user enumeration using local login timings
pull/5367/merge
NGPixel
2 years ago
No known key found for this signature in database
GPG Key ID: 8FDA2F1757F60D63
1 changed files with
5 additions and
0 deletions
-
server/modules/authentication/local/authentication.js
|
|
|
@ -1,3 +1,5 @@ |
|
|
|
const bcrypt = require('bcryptjs-then') |
|
|
|
|
|
|
|
/* global WIKI */ |
|
|
|
|
|
|
|
// ------------------------------------
|
|
|
|
@ -28,6 +30,9 @@ module.exports = { |
|
|
|
done(null, user) |
|
|
|
} |
|
|
|
} else { |
|
|
|
// Fake verify password to mask timing differences
|
|
|
|
await bcrypt.compare((Math.random() + 1).toString(36), '$2a$12$irXbAcQSY59pcQQfNQpY8uyhfSw48nzDikAmr60drI501nR.PuBx2') |
|
|
|
|
|
|
|
done(new WIKI.Error.AuthLoginFailed(), null) |
|
|
|
} |
|
|
|
} catch (err) { |
|
|
|
|
