Browse Source

reset session.ts

this is currently worked on in the dev-oauth branch
pull/2553/head
Bernd Storath 1 month ago
parent
commit
f26e06991c
  1. 17
      src/server/utils/session.ts

17
src/server/utils/session.ts

@ -70,21 +70,26 @@ export async function getCurrentUser(event: H3Event) {
}); });
} }
// TODO: timing can be used to enumerate usernames
const foundUser = await Database.users.getByUsername(username); const foundUser = await Database.users.getByUsername(username);
// Always verify password to prevent timing-based username enumeration if (!foundUser) {
const userHashPassword = throw createError({
foundUser?.password ?? statusCode: 401,
'$argon2id$v=19$m=65536,t=3,p=4$aaaaaaaaaaaaaaaa$bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'; statusMessage: 'Session failed',
});
}
const userHashPassword = foundUser.password;
const passwordValid = await isPasswordValid(password, userHashPassword); const passwordValid = await isPasswordValid(password, userHashPassword);
if (!foundUser || !passwordValid) { if (!passwordValid) {
throw createError({ throw createError({
statusCode: 401, statusCode: 401,
statusMessage: 'Session failed', statusMessage: 'Session failed',
}); });
} }
user = foundUser; user = foundUser;
} else { } else {
throw createError({ throw createError({

Loading…
Cancel
Save