From 7689b28d6da3245839d5580a55c530ce7e03e3e4 Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Mon, 23 Mar 2026 08:48:13 +0100
Subject: [PATCH] security: timing-safe auth to prevent username enumeration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/services/auth.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/services/auth.ts b/src/services/auth.ts
index a12e84d..c2bf035 100644
--- a/src/services/auth.ts
+++ b/src/services/auth.ts
@@ -6,6 +6,9 @@ import prisma from '../config/database';
 import { config } from '../config/env';
 import { AuthData, JwtPayload } from '../types';
 
+// Pre-computed bcrypt hash for timing-safe comparison when user not found
+const DUMMY_HASH = '$2a$12$LJ3m4ys3Lg4oLBFnYP2amuPBzJnJBbGzCl5Y6X9Y8r0q5.s3L6OyO';
+
 // --- Token helpers ---
 
 function hashToken(token: string): string {
@@ -79,6 +82,8 @@ export async function login(
   });
 
   if (!user) {
+    // Timing-safe: run bcrypt even when user not found
+    await bcrypt.compare(password, DUMMY_HASH);
     return { type: 'error', message: 'Neplatné přihlašovací údaje', status: 401 };
   }