From 58488e1c881dc0b7384fcfacbb44dac99839bfbd Mon Sep 17 00:00:00 2001
From: Mohamed Bassem <me@mbassem.com>
Date: Sun, 6 Jul 2025 23:41:46 +0000
Subject: fix: Add a dummy bcrypt comparison in validatePassword when the user
 is not found

---
 packages/trpc/auth.ts | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'packages/trpc/auth.ts')

diff --git a/packages/trpc/auth.ts b/packages/trpc/auth.ts
index 1c3b860d..caf8e182 100644
--- a/packages/trpc/auth.ts
+++ b/packages/trpc/auth.ts
@@ -93,6 +93,12 @@ export async function validatePassword(email: string, password: string) {
   });
 
   if (!user) {
+    // Run a bcrypt comparison anyways to hide the fact of whether the user exists or not (protecting against timing attacks)
+    await bcrypt.compare(
+      password +
+        "b6bfd1e907eb40462e73986f6cd628c036dc079b101186d36d53b824af3c9d2e",
+      "a-dummy-password-that-should-never-match",
+    );
     throw new Error("User not found");
   }
 
-- 
cgit v1.2.3-70-g09d2