Prevent Timing Attacks
zimt28 opened this issue · comments
zimt28 commented
I'm currently reading Programming Phoenix and right there the authentication method is defined like this:
def login_by_username_and_pass(conn, username, given_pass, opts) do
repo = Keyword.fetch!(opts, :repo)
user = repo.get_by(Rumbl.User, username: username)
cond do
user && checkpw(given_pass, user.password_hash) ->
{:ok, login(conn, user)}
user ->
{:error, :unauthorized, conn}
true ->
dummy_checkpw()
{:error, :not_found, conn}
end
end
Quite similar to doorman's, but it also uses Comeonin
's dummy_checkpw
function to prevent timing attacks. It would be great if you could add this as well :)
Blake Williams commented
Good call! I'll look into implementing this.
Blake Williams commented
Thanks for reporting this, fixed in #13.