fix: use constant time in user checks (#1004)

This commit is contained in:
Stavros
2026-07-14 16:49:59 +03:00
committed by GitHub
parent d946926c36
commit c22925c2fb
6 changed files with 33 additions and 5 deletions
+17 -2
View File
@@ -69,6 +69,8 @@ type AuthService struct {
tailscale *TailscaleService
policyEngine *PolicyEngine
dummyHash string
lockdown struct {
active bool
until time.Time
@@ -101,7 +103,7 @@ type AuthServiceInput struct {
PolicyEngine *PolicyEngine
}
func NewAuthService(i AuthServiceInput) *AuthService {
func NewAuthService(i AuthServiceInput) (*AuthService, error) {
service := &AuthService{
log: i.Log,
runtime: i.Runtime,
@@ -123,6 +125,15 @@ func NewAuthService(i AuthServiceInput) *AuthService {
loginCacheSize = service.maxLoginLimits
}
// dummy hash
dummyHash, err := bcrypt.GenerateFromPassword([]byte(utils.GenerateString(8)), bcrypt.DefaultCost)
if err != nil {
return nil, fmt.Errorf("failed to generate dummy hash: %w", err)
}
service.dummyHash = string(dummyHash)
// caches setup
oauthCache := NewCacheStore[OAuthPendingSession](256)
loginCache := NewCacheStore[LoginAttempt](loginCacheSize)
@@ -148,7 +159,11 @@ func NewAuthService(i AuthServiceInput) *AuthService {
}
}, ding.RingMinor)
return service
return service, nil
}
func (auth *AuthService) DummyPasswordCheck(password string) {
bcrypt.CompareHashAndPassword([]byte(auth.dummyHash), []byte(password))
}
func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error) {