Make it impossible to know if an username is used or not with the API

2018-10-23 10:50:52 +01:00 · 2018-10-23 10:50:52 +01:00 · 647a5af070
commit 647a5af070
parent 0dbf9f519e
1 changed files with 6 additions and 2 deletions
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@ -35,12 +35,16 @@ fn oauth(query: OAuthRequest, conn: DbConn) -> Json<serde_json::Value> {
                }))
            } else {
                Json(json!({
-                    "error": "Wrong password"
+                    "error": "Invalid credentials"
                }))
            }
        } else {
+            // Making fake password verification to avoid different
+            // response times that would make it possible to know
+            // if a username is registered or not.
+            User::get(&*conn, 1).unwrap().auth(query.password);
            Json(json!({
-                "error": "Unknown user"
+                "error": "Invalid credentials"
            }))
        }
    } else {