From 4b3005057f99cd7008b4aff4ecd7cf90968eb072 Mon Sep 17 00:00:00 2001
From: NGPixel <github@ngpixel.com>
Date: Sat, 17 Sep 2022 17:36:40 -0400
Subject: [PATCH] fix: prevent user enumeration using local login timings

---
 server/modules/authentication/local/authentication.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/modules/authentication/local/authentication.js b/server/modules/authentication/local/authentication.js
index e6fa75d3..ea2bf1d0 100644
--- a/server/modules/authentication/local/authentication.js
+++ b/server/modules/authentication/local/authentication.js
@@ -1,3 +1,5 @@
+const bcrypt = require('bcryptjs-then')
+
 /* global WIKI */
 
 // ------------------------------------
@@ -28,6 +30,9 @@ module.exports = {
               done(null, user)
             }
           } else {
+            // Fake verify password to mask timing differences
+            await bcrypt.compare((Math.random() + 1).toString(36), '$2a$12$irXbAcQSY59pcQQfNQpY8uyhfSw48nzDikAmr60drI501nR.PuBx2')
+
             done(new WIKI.Error.AuthLoginFailed(), null)
           }
         } catch (err) {