mirrors/homebox
1
0
Fork 1
mirror of https://github.com/hay-kot/homebox.git synced 2025-08-04 00:30:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

prevent timed attacks on login

Browse source
This commit is contained in:
Hayden 2022-10-09 11:05:18 -05:00
parent 0c57a34325
commit 38a0217e8c
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
backend/internal/services/service_user.go
View file

@ -142,7 +142,13 @@ func (svc *UserService) createToken(ctx context.Context, userId uuid.UUID) (User
func (svc *UserService) Login(ctx context.Context, username, password string) (UserAuthTokenDetail, error) {
usr, err := svc.repos.Users.GetOneEmail(ctx, username)
if err != nil || !hasher.CheckPasswordHash(password, usr.PasswordHash) {
if err != nil {
// SECURITY: Perform hash to ensure response times are the same
hasher.CheckPasswordHash("not-a-real-password", "not-a-real-password")
return UserAuthTokenDetail{}, ErrorInvalidLogin
}
if !hasher.CheckPasswordHash(password, usr.PasswordHash) {
return UserAuthTokenDetail{}, ErrorInvalidLogin
}