Skip to content

Commit

Permalink
Obfuscate login response time.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ftkg @zyro
ftkg authored and zyro committed Jan 25, 2023
1 parent ba25ec2 commit 76b49ea
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions server/console_authenticate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,8 @@ func (s *ConsoleServer) AuthenticateLogout(ctx context.Context, in *console.Auth
return &emptypb.Empty{}, nil
}

var dummyHash = []byte("$2y$10$x8B0hPVxYGDq7bZiYC9jcuwA0B9m4J6vYITYIv0nf.IfYuM1kGI3W")

func (s *ConsoleServer) lookupConsoleUser(ctx context.Context, unameOrEmail, password, ip string) (id uuid.UUID, uname string, email string, role console.UserRole, err error) {
role = console.UserRole_USER_ROLE_UNKNOWN
query := "SELECT id, username, email, role, password, disable_time FROM console_user WHERE username = $1 OR email = $1"
Expand All @@ -163,6 +165,8 @@ func (s *ConsoleServer) lookupConsoleUser(ctx context.Context, unameOrEmail, pas
}
err = status.Error(codes.Unauthenticated, "Invalid credentials.")
}
// Call hash function to obfuscate response time when user does not exist.
_ = bcrypt.CompareHashAndPassword(dummyHash, []byte(password))
return
}

Expand Down

0 comments on commit 76b49ea

Please sign in to comment.