probing user names is still possible with "register", so doesn't matter

This commit is contained in:
Jörn-Michael Miehe 2019-05-07 17:37:11 +02:00
parent 98a774a54d
commit 640cfe3b03

View file

@ -82,8 +82,7 @@ class FFTCGDB
stmt.finalize() stmt.finalize()
if err if err
logger.warn "reg: FAIL db '#{err.code}' for '#{login}'" logger.warn "reg: FAIL db '#{err.code}' for '#{login}'"
# reduce attack surface, don't disclose user names reject 'existence' # user already exists
reject 'db' # user already exists
else else
logger.info "reg: OK '#{login}'" logger.info "reg: OK '#{login}'"
@ -106,8 +105,7 @@ class FFTCGDB
# hash the password for timing attack reasons # hash the password for timing attack reasons
bcrypt.hash password, saltRounds, (err, hash) -> bcrypt.hash password, saltRounds, (err, hash) ->
logger.debug "login: FAIL nonexistent '#{login}'" logger.debug "login: FAIL nonexistent '#{login}'"
# reduce attack surface, don't disclose user names reject 'existence' # user doesnt exist
reject 'login' # user doesnt exist
else else
bcrypt.compare password, row.pwdhash, (err, res) -> bcrypt.compare password, row.pwdhash, (err, res) ->