bugfix: equalise login response time across user-existence branches (0.34.1)
A login attempt against a non-existent username returned 401 in <1ms, while the wrong-password branch ran argon2 verify (~50-100ms). Timing the difference let an attacker enumerate valid usernames without ever seeing a successful response. Run verify_password against a fixed dummy argon2id hash on the no-user branch so both paths spend the same compute. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "mangalord"
|
||||
version = "0.34.0"
|
||||
version = "0.34.1"
|
||||
edition = "2021"
|
||||
default-run = "mangalord"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user