GKaszewski/thoughts
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): validate JWT secret length, equalize login timing, reduce TTL to 24h

Browse Source
This commit is contained in:
Gabriel Kaszewski
2026-05-15 16:16:58 +02:00
parent 50a08d8ed6
commit 75e8d349e3
3 changed files with 23 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
crates/application/src/use_cases/auth.rs
View File

@@ -64,10 +64,15 @@ pub async fn login(
input: LoginInput,
) -> Result<LoginOutput, DomainError> {
let email = Email::new(input.email)?;
let user = users
.find_by_email(&email)
.await?
.ok_or(DomainError::Unauthorized)?;
let user = users.find_by_email(&email).await?;
if user.is_none() {
// Timing equalization — prevents email enumeration via response-time oracle.
// Running the hasher on a miss makes "no such user" take the same time as
// "wrong password", so attackers cannot distinguish the two cases.
let _ = hasher.hash(&input.password).await;
return Err(DomainError::Unauthorized);
}
let user = user.unwrap();
if !hasher.verify(&input.password, &user.password_hash).await? {
return Err(DomainError::Unauthorized);
}