LOADING…
0%
Complete changelog

Commit

Harden auth: constant-time login + refresh token rotation

Commit details

Commit notes

Two auth weaknesses in the credential and session flow:

- Login user enumeration via timing. The login handler returned immediately when no account matched the email, but ran bcrypt (~tens of ms) when it did, so an attacker could distinguish registered from unregistered emails by response latency despite the identical "Invalid credentials" message. Now the handler always runs a bcrypt comparison — against a cached dummy hash when the account is missing — so timing no longer depends on account existence.

- Refresh tokens were rotated but not revoked. POST /auth/refresh issued a new refresh token while leaving the presented one valid until its natural expiry, so a leaked refresh token stayed usable indefinitely and token reuse went undetected. The endpoint now revokes the presented token when it issues the replacement, so a single refresh token cannot be reused after rotation.

[private session redacted]

Files changed
1
Lines added
+36
Lines removed
−7
This page is a permanent record of commit 84a54276.