fix: Add a dummy bcrypt comparison in validatePassword when the user is not found

author: Mohamed Bassem <me@mbassem.com> 2025-07-06 23:41:46 +0000
committer: Mohamed Bassem <me@mbassem.com> 2025-07-06 23:41:46 +0000
commit: 58488e1c881dc0b7384fcfacbb44dac99839bfbd (patch)
tree: d5029dae8d859528912801de372c1767918b3feb /packages/trpc/auth.ts
parent: 71458166108ab805e8924f851953489f0c00d989 (diff)
download: karakeep-58488e1c881dc0b7384fcfacbb44dac99839bfbd.tar.zst
1 files changed, 6 insertions, 0 deletions
diff --git a/packages/trpc/auth.ts b/packages/trpc/auth.ts
index 1c3b860d..caf8e182 100644
--- a/packages/trpc/auth.ts
+++ b/packages/trpc/auth.ts
@@ -93,6 +93,12 @@ export async function validatePassword(email: string, password: string) {
   });
 
   if (!user) {
+    // Run a bcrypt comparison anyways to hide the fact of whether the user exists or not (protecting against timing attacks)
+    await bcrypt.compare(
+      password +
+        "b6bfd1e907eb40462e73986f6cd628c036dc079b101186d36d53b824af3c9d2e",
+      "a-dummy-password-that-should-never-match",
+    );
     throw new Error("User not found");
   }
author	Mohamed Bassem <me@mbassem.com>	2025-07-06 23:41:46 +0000
committer	Mohamed Bassem <me@mbassem.com>	2025-07-06 23:41:46 +0000
commit	58488e1c881dc0b7384fcfacbb44dac99839bfbd (patch)
tree	d5029dae8d859528912801de372c1767918b3feb /packages/trpc/auth.ts
parent	71458166108ab805e8924f851953489f0c00d989 (diff)
download	karakeep-58488e1c881dc0b7384fcfacbb44dac99839bfbd.tar.zst