From f26e06991cd32f1c6b1d89e337d0ba03a335fa9a Mon Sep 17 00:00:00 2001
From: Bernd Storath <bernd@berndstorath.de>
Date: Wed, 3 Jun 2026 10:33:00 +0200
Subject: [PATCH] reset session.ts

this is currently worked on in the dev-oauth branch
---
 src/server/utils/session.ts | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/server/utils/session.ts b/src/server/utils/session.ts
index 15e0ae97..1a144cea 100644
--- a/src/server/utils/session.ts
+++ b/src/server/utils/session.ts
@@ -70,21 +70,26 @@ export async function getCurrentUser(event: H3Event) {
       });
     }
 
+    // TODO: timing can be used to enumerate usernames
+
     const foundUser = await Database.users.getByUsername(username);
 
-    // Always verify password to prevent timing-based username enumeration
-    const userHashPassword =
-      foundUser?.password ??
-      '$argon2id$v=19$m=65536,t=3,p=4$aaaaaaaaaaaaaaaa$bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
+    if (!foundUser) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Session failed',
+      });
+    }
+
+    const userHashPassword = foundUser.password;
     const passwordValid = await isPasswordValid(password, userHashPassword);
 
-    if (!foundUser || !passwordValid) {
+    if (!passwordValid) {
       throw createError({
         statusCode: 401,
         statusMessage: 'Session failed',
       });
     }
-
     user = foundUser;
   } else {
     throw createError({