Make it impossible to know if an username is used or not with the API

This commit is contained in:
Baptiste Gelez 2018-10-23 10:50:52 +01:00
parent 0dbf9f519e
commit 647a5af070

View File

@ -35,12 +35,16 @@ fn oauth(query: OAuthRequest, conn: DbConn) -> Json<serde_json::Value> {
})) }))
} else { } else {
Json(json!({ Json(json!({
"error": "Wrong password" "error": "Invalid credentials"
})) }))
} }
} else { } else {
// Making fake password verification to avoid different
// response times that would make it possible to know
// if a username is registered or not.
User::get(&*conn, 1).unwrap().auth(query.password);
Json(json!({ Json(json!({
"error": "Unknown user" "error": "Invalid credentials"
})) }))
} }
} else { } else {