recognize timing attack potential

src/server/api/session.post.ts

@@ -6,10 +6,12 @@ export default defineEventHandler(async (event) => {
     validateZod(UserLoginSchema, event)
   );
 
+  // TODO: timing can be used to enumerate usernames
+
   const user = await Database.users.getByUsername(username);
   if (!user)
     throw createError({
-      statusCode: 400,
+      statusCode: 401,
       statusMessage: 'Incorrect credentials',
     });
 

src/server/utils/session.ts

@@ -53,8 +53,8 @@ export async function getCurrentUser(event: H3Event) {
     // TODO: support personal access token or similar
     if (method !== 'Basic' || !value) {
       throw createError({
-        statusCode: 401,
-        statusMessage: 'Session failed',
+        statusCode: 400,
+        statusMessage: 'Invalid Basic Authorization',
       });
     }
 
@@ -67,11 +67,13 @@ export async function getCurrentUser(event: H3Event) {
 
     if (!username || !password) {
       throw createError({
-        statusCode: 401,
-        statusMessage: 'Session failed',
+        statusCode: 400,
+        statusMessage: 'Invalid Basic Authorization',
       });
     }
 
+    // TODO: timing can be used to enumerate usernames
+
     const foundUser = await Database.users.getByUsername(username);
 
     if (!foundUser) {
@@ -87,7 +89,7 @@ export async function getCurrentUser(event: H3Event) {
     if (!passwordValid) {
       throw createError({
         statusCode: 401,
-        statusMessage: 'Incorrect Password',
+        statusMessage: 'Session failed',
       });
     }
     user = foundUser;