server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon finnish-app

sec: make timings consistent when user enumerations would be possible through timing attacks

Open nicolasauler opened this issue 2 years ago • 0 comments

As stated in #60 : To make the application secure, we need to avoid user enumeration, this PR starts the effort, we need:

  • Consistent return when user/email exists and don't exist in sign up (implemented in this PR)
  • Consistent timings for the above routes
  • Clear user communication (sending forgot password email when user exists and doing the appropriate logic: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html)
  • Forgot password functionality
  • Rate limiting in these endpoints #61
  • Captcha #20

This issue should implement the consistent timings when user exists and when they don't.

nicolasauler avatar Jan 24 '24 20:01 nicolasauler