🪻 distributed transcription service thistle.dunkirk.sh
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: remove client side email check and add dummy comparison for non existant users

+6 -11
-10
src/components/auth.ts
··· 328 328 329 329 if (!response.ok) { 330 330 const data = await response.json(); 331 - 332 - if ( 333 - response.status === 401 && 334 - data.error?.includes("Invalid email") 335 - ) { 336 - this.needsRegistration = true; 337 - this.error = ""; 338 - return; 339 - } 340 - 341 331 this.error = data.error || "Login failed"; 342 332 return; 343 333 }
+6 -1
src/lib/auth.ts
··· 112 112 ) 113 113 .get(email); 114 114 115 - if (!result) return null; 115 + if (!result) { 116 + // Dummy comparison to prevent timing-based account enumeration 117 + const dummyHash = "0".repeat(64); 118 + password === dummyHash; 119 + return null; 120 + } 116 121 117 122 if (password !== result.password_hash) return null; 118 123