mitigation for timing attacks
This commit is contained in:
parent
e4fe00a91a
commit
d0f7de6208
1 changed files with 7 additions and 4 deletions
|
|
@ -2,6 +2,9 @@
|
|||
bcrypt = (require 'bcrypt')
|
||||
sqlite3 = (require 'sqlite3').verbose()
|
||||
|
||||
# bruteforce countermeasure
|
||||
saltRounds = 13
|
||||
|
||||
FFTCGDB = (filename) ->
|
||||
@filename = filename
|
||||
|
||||
|
|
@ -30,8 +33,6 @@ FFTCGDB::close = ->
|
|||
|
||||
FFTCGDB::register = (login, password) ->
|
||||
that = @
|
||||
# bruteforce countermeasure
|
||||
saltRounds = 13
|
||||
|
||||
new Promise (resolve, reject) ->
|
||||
# validate username
|
||||
|
|
@ -49,7 +50,7 @@ FFTCGDB::register = (login, password) ->
|
|||
|
||||
else
|
||||
# registration successful
|
||||
resolve login
|
||||
resolve @lastID
|
||||
|
||||
FFTCGDB::login = (login, password) ->
|
||||
that = @
|
||||
|
|
@ -63,7 +64,9 @@ FFTCGDB::login = (login, password) ->
|
|||
reject 'db'
|
||||
|
||||
else if rows.length == 0
|
||||
reject 'existence'
|
||||
# hashing the password for timing attack reasons
|
||||
bcrypt.hash password, saltRounds, (err, hash) ->
|
||||
reject 'existence'
|
||||
|
||||
else
|
||||
row = rows[0]
|
||||
|
|
|
|||
Reference in a new issue