bugfix: equalise login response time across user-existence branches (0.34.1)

A login attempt against a non-existent username returned 401 in <1ms, while the wrong-password branch ran argon2 verify (~50-100ms). Timing the difference let an attacker enumerate valid usernames without ever seeing a successful response. Run verify_password against a fixed dummy argon2id hash on the no-user branch so both paths spend the same compute. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 07:46:46 +02:00
parent e7662d18d6
commit 4863219cf6
4 changed files with 113 additions and 5 deletions
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "mangalord-frontend",
-  "version": "0.34.0",
+  "version": "0.34.1",
  "private": true,
  "type": "module",
  "scripts": {