This repository was archived by the owner on Sep 24, 2024. It is now read-only.
This repository was archived by the owner on Sep 24, 2024. It is now read-only.
Authentication example ignore timing attack #3
Open
Description
Hello,
I am a bit concerned by the example presented.
Indeed the hash function is likely to take some time and therefore even if the email is not leaked by the error message, it is instead leaked by the difference of time the server took to respond.
A better way in my opinion would be to compute an hash in all cases like:
// Validating the existence of a user with the specified email.
const existingUser = await User.findOne({ email });
if (!existingUser) {
let _ = await bcrypt.compare(password, "fake password used to counter timing attack");
return res
.status(401)
.json({ errorMessage: "Invalid email or password." });
}
// Validating the password attributed to that User object with the passwordHash
// from the database.
const passwordCorrect = await bcrypt.compare(password, existingUser.passwordHash);
if (!passwordCorrect) {
return res
.status(401)
.json({ errorMessage: "Invalid email or password." });
}
I understand the extra line can undermine the point about error messsages which is the crucial first step, but I feel like at least an extra note about it should be added at the end.
Metadata
Metadata
Assignees
Labels
No labels