From 3373bb66cd57c1c32821ae04c7f66c3f7ec0628e Mon Sep 17 00:00:00 2001 From: Bat Date: Mon, 3 Sep 2018 18:04:21 +0100 Subject: [PATCH] Fake password verification when trying to login with inexistant account Fix #170 --- src/routes/session.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/routes/session.rs b/src/routes/session.rs index bcc3c6b0..a0d3c7fb 100644 --- a/src/routes/session.rs +++ b/src/routes/session.rs @@ -57,6 +57,10 @@ fn create(conn: DbConn, data: LenientForm, flash: Option e }; if let Err(_) = user.clone() { + // Fake password verification, only to avoid different login times + // that could be used to see if an email adress is registered or not + User::get(&*conn, 1).map(|u| u.auth(form.password.clone())); + let mut err = ValidationError::new("invalid_login"); err.message = Some(Cow::from("Invalid username or password")); errors.add("email_or_name", err)