From 38a0217e8cb9c905049be312e077b3d450bc6eee Mon Sep 17 00:00:00 2001
From: Hayden <64056131+hay-kot@users.noreply.github.com>
Date: Sun, 9 Oct 2022 11:05:18 -0500
Subject: [PATCH] prevent timed attacks on login

---
 backend/internal/services/service_user.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/internal/services/service_user.go b/backend/internal/services/service_user.go
index 688821a..6e192de 100644
--- a/backend/internal/services/service_user.go
+++ b/backend/internal/services/service_user.go
@@ -142,7 +142,13 @@ func (svc *UserService) createToken(ctx context.Context, userId uuid.UUID) (User
 func (svc *UserService) Login(ctx context.Context, username, password string) (UserAuthTokenDetail, error) {
 	usr, err := svc.repos.Users.GetOneEmail(ctx, username)
 
-	if err != nil || !hasher.CheckPasswordHash(password, usr.PasswordHash) {
+	if err != nil {
+		// SECURITY: Perform hash to ensure response times are the same
+		hasher.CheckPasswordHash("not-a-real-password", "not-a-real-password")
+		return UserAuthTokenDetail{}, ErrorInvalidLogin
+	}
+
+	if !hasher.CheckPasswordHash(password, usr.PasswordHash) {
 		return UserAuthTokenDetail{}, ErrorInvalidLogin
 	}