Fake password verification when trying to login with inexistant account

Fix #170
2018-09-03 18:04:21 +01:00 · 2018-09-03 18:04:21 +01:00 · 3373bb66cd
commit 3373bb66cd
parent 78b3202a32
1 changed files with 4 additions and 0 deletions
--- a/src/routes/session.rs
+++ b/src/routes/session.rs
@ -57,6 +57,10 @@ fn create(conn: DbConn, data: LenientForm<LoginForm>, flash: Option<FlashMessage
        Err(e) => e
    };
    if let Err(_) = user.clone() {
+        // Fake password verification, only to avoid different login times
+        // that could be used to see if an email adress is registered or not
+        User::get(&*conn, 1).map(|u| u.auth(form.password.clone()));
+
        let mut err = ValidationError::new("invalid_login");
        err.message = Some(Cow::from("Invalid username or password"));
        errors.add("email_or_name", err)