boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

security: timing-safe auth to prevent username enumeration

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-03-23 08:48:13 +01:00
parent 333d1f7697
commit 7689b28d6d
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/services/auth.ts
View File

@@ -6,6 +6,9 @@ import prisma from '../config/database';
import { config } from '../config/env'; import { config } from '../config/env';
import { AuthData, JwtPayload } from '../types'; import { AuthData, JwtPayload } from '../types';
// Pre-computed bcrypt hash for timing-safe comparison when user not found
const DUMMY_HASH = '$2a$12$LJ3m4ys3Lg4oLBFnYP2amuPBzJnJBbGzCl5Y6X9Y8r0q5.s3L6OyO';
// --- Token helpers --- // --- Token helpers ---
function hashToken(token: string): string { function hashToken(token: string): string {
@@ -79,6 +82,8 @@ export async function login(
}); });
if (!user) { if (!user) {
// Timing-safe: run bcrypt even when user not found
await bcrypt.compare(password, DUMMY_HASH);
return { type: 'error', message: 'Neplatné přihlašovací údaje', status: 401 }; return { type: 'error', message: 'Neplatné přihlašovací údaje', status: 401 };
} }