security: timing-safe auth to prevent username enumeration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 08:48:13 +01:00
parent 333d1f7697
commit 7689b28d6d
1 changed files with 5 additions and 0 deletions
--- a/src/services/auth.ts
+++ b/src/services/auth.ts
@@ -6,6 +6,9 @@ import prisma from '../config/database';
 import { config } from '../config/env';
 import { AuthData, JwtPayload } from '../types';

+// Pre-computed bcrypt hash for timing-safe comparison when user not found
+const DUMMY_HASH = '$2a$12$LJ3m4ys3Lg4oLBFnYP2amuPBzJnJBbGzCl5Y6X9Y8r0q5.s3L6OyO';
+
 // --- Token helpers ---

 function hashToken(token: string): string {
@@ -79,6 +82,8 @@ export async function login(
  });

  if (!user) {
+    // Timing-safe: run bcrypt even when user not found
+    await bcrypt.compare(password, DUMMY_HASH);
    return { type: 'error', message: 'Neplatné přihlašovací údaje', status: 401 };
  }