🪻 distributed transcription service
thistle.dunkirk.sh
feat: remove client side email check and add dummy comparison for non existant users
+6
-11
-10
src/components/auth.ts
-10
src/components/auth.ts
···
328
328
329
329
if (!response.ok) {
330
330
const data = await response.json();
331
-
332
-
if (
333
-
response.status === 401 &&
334
-
data.error?.includes("Invalid email")
335
-
) {
336
-
this.needsRegistration = true;
337
-
this.error = "";
338
-
return;
339
-
}
340
-
341
331
this.error = data.error || "Login failed";
342
332
return;
343
333
}
+6
-1
src/lib/auth.ts
+6
-1
src/lib/auth.ts
···
112
112
)
113
113
.get(email);
114
114
115
-
if (!result) return null;
115
+
if (!result) {
116
+
// Dummy comparison to prevent timing-based account enumeration
117
+
const dummyHash = "0".repeat(64);
118
+
password === dummyHash;
119
+
return null;
120
+
}
116
121
117
122
if (password !== result.password_hash) return null;
118
123