From d0f7de62084c1f004007ede6eb9a605b9ae342c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn-Michael=20Miehe?= <jmm@yavook.de>
Date: Sun, 16 Dec 2018 02:37:00 +0100
Subject: [PATCH] mitigation for timing attacks

---
 inc/fftcgdb.coffee | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/inc/fftcgdb.coffee b/inc/fftcgdb.coffee
index de5c422..6cd94e5 100644
--- a/inc/fftcgdb.coffee
+++ b/inc/fftcgdb.coffee
@@ -2,6 +2,9 @@
 bcrypt = (require 'bcrypt')
 sqlite3 = (require 'sqlite3').verbose()
 
+# bruteforce countermeasure
+saltRounds = 13
+
 FFTCGDB = (filename) ->
   @filename = filename
 
@@ -30,8 +33,6 @@ FFTCGDB::close = ->
 
 FFTCGDB::register = (login, password) ->
   that = @
-  # bruteforce countermeasure
-  saltRounds = 13
 
   new Promise (resolve, reject) ->
     # validate username
@@ -49,7 +50,7 @@ FFTCGDB::register = (login, password) ->
 
         else
           # registration successful
-          resolve login
+          resolve @lastID
 
 FFTCGDB::login = (login, password) ->
   that = @
@@ -63,7 +64,9 @@ FFTCGDB::login = (login, password) ->
         reject 'db'
 
       else if rows.length == 0
-        reject 'existence'
+        # hashing the password for timing attack reasons
+        bcrypt.hash password, saltRounds, (err, hash) ->
+          reject 'existence'
 
       else
         row = rows[0]