adjust cost

proxy/src/auth/backend.rs

@@ -217,25 +217,25 @@ async fn auth_quirks(
     };
     let (cached_entry, secret) = cached_secret.take_value();
 
-    let hash_iter_count = match &secret {
-        #[cfg(any(test, feature = "testing"))]
-        Some(AuthSecret::Md5(_)) => 1,
-        Some(AuthSecret::Scram(s)) => s.iterations,
-        None => 0,
-    };
-    // only count the full hash count if password hack or websocket flow.
-    // in other words, if proxy needs to run the hashing
-    let password_weight = if unauthenticated_password.is_some() || allow_cleartext {
-        hash_iter_count
-    } else {
-        1
-    };
-
     let secret = match secret {
         Some(secret) => {
             // we have validated the endpoint exists, so let's intern it.
             let endpoint = EndpointIdInt::from(&info.endpoint);
 
+            // only count the full hash count if password hack or websocket flow.
+            // in other words, if proxy needs to run the hashing
+            let password_weight = if unauthenticated_password.is_some() || allow_cleartext {
+                match &secret {
+                    #[cfg(any(test, feature = "testing"))]
+                    AuthSecret::Md5(_) => 1,
+                    // performing the full scram flow with a password takes hash_iter_count + 3 + 1 hmac_sha_256 operations.
+                    AuthSecret::Scram(s) => s.iterations + 4,
+                }
+            } else {
+                // validating scram takes just 1 hmac_sha_256 operation.
+                1
+            };
+
             if config
                 .rate_limiter
                 .check((endpoint, ctx.peer_addr), password_weight)