From 77d8cc8786390397cb34e23394413df9255db339 Mon Sep 17 00:00:00 2001 From: Bernd Storath <999999bst@gmail.com> Date: Wed, 5 Mar 2025 08:45:43 +0100 Subject: [PATCH] recognize timing attack potential --- src/server/api/session.post.ts | 4 +++- src/server/utils/session.ts | 12 +++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/server/api/session.post.ts b/src/server/api/session.post.ts index 57c0748b..4dda5ffd 100644 --- a/src/server/api/session.post.ts +++ b/src/server/api/session.post.ts @@ -6,10 +6,12 @@ export default defineEventHandler(async (event) => { validateZod(UserLoginSchema, event) ); + // TODO: timing can be used to enumerate usernames + const user = await Database.users.getByUsername(username); if (!user) throw createError({ - statusCode: 400, + statusCode: 401, statusMessage: 'Incorrect credentials', }); diff --git a/src/server/utils/session.ts b/src/server/utils/session.ts index 8931ccf7..7b248063 100644 --- a/src/server/utils/session.ts +++ b/src/server/utils/session.ts @@ -53,8 +53,8 @@ export async function getCurrentUser(event: H3Event) { // TODO: support personal access token or similar if (method !== 'Basic' || !value) { throw createError({ - statusCode: 401, - statusMessage: 'Session failed', + statusCode: 400, + statusMessage: 'Invalid Basic Authorization', }); } @@ -67,11 +67,13 @@ export async function getCurrentUser(event: H3Event) { if (!username || !password) { throw createError({ - statusCode: 401, - statusMessage: 'Session failed', + statusCode: 400, + statusMessage: 'Invalid Basic Authorization', }); } + // TODO: timing can be used to enumerate usernames + const foundUser = await Database.users.getByUsername(username); if (!foundUser) { @@ -87,7 +89,7 @@ export async function getCurrentUser(event: H3Event) { if (!passwordValid) { throw createError({ statusCode: 401, - statusMessage: 'Incorrect Password', + statusMessage: 'Session failed', }); } user = foundUser;