mirror
/
wg-easy
mirror of https://github.com/wg-easy/wg-easy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

recognize timing attack potential

pull/1700/head
Bernd Storath 5 months ago
parent
378938f73a
commit
77d8cc8786
2 changed files with 10 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      src/server/api/session.post.ts
  2. 12
      src/server/utils/session.ts

4
src/server/api/session.post.ts
View File

@ -6,10 +6,12 @@ export default defineEventHandler(async (event) => {
validateZod(UserLoginSchema, event) validateZod(UserLoginSchema, event)
); );
// TODO: timing can be used to enumerate usernames
const user = await Database.users.getByUsername(username); const user = await Database.users.getByUsername(username);
if (!user) if (!user)
throw createError({ throw createError({
statusCode: 400, statusCode: 401,
statusMessage: 'Incorrect credentials', statusMessage: 'Incorrect credentials',
}); });

12
src/server/utils/session.ts
View File

@ -53,8 +53,8 @@ export async function getCurrentUser(event: H3Event) {
// TODO: support personal access token or similar // TODO: support personal access token or similar
if (method !== 'Basic' || !value) { if (method !== 'Basic' || !value) {
throw createError({ throw createError({
statusCode: 401, statusCode: 400,
statusMessage: 'Session failed', statusMessage: 'Invalid Basic Authorization',
}); });
} }
@ -67,11 +67,13 @@ export async function getCurrentUser(event: H3Event) {
if (!username || !password) { if (!username || !password) {
throw createError({ throw createError({
statusCode: 401, statusCode: 400,
statusMessage: 'Session failed', statusMessage: 'Invalid Basic Authorization',
}); });
} }
// TODO: timing can be used to enumerate usernames
const foundUser = await Database.users.getByUsername(username); const foundUser = await Database.users.getByUsername(username);
if (!foundUser) { if (!foundUser) {
@ -87,7 +89,7 @@ export async function getCurrentUser(event: H3Event) {
if (!passwordValid) { if (!passwordValid) {
throw createError({ throw createError({
statusCode: 401, statusCode: 401,
statusMessage: 'Incorrect Password', statusMessage: 'Session failed',
}); });
} }
user = foundUser; user = foundUser;

Write Preview
Loading…
Cancel
Save