4863219cf6
A login attempt against a non-existent username returned 401 in <1ms, while the wrong-password branch ran argon2 verify (~50-100ms). Timing the difference let an attacker enumerate valid usernames without ever seeing a successful response. Run verify_password against a fixed dummy argon2id hash on the no-user branch so both paths spend the same compute. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>