Always compare password with a hash

Prevents quick response when user / email doesn't exist
2025-11-13 01:15:47 +01:00 · 2017-11-01 18:57:52 -06:00
parent c9465403f5
commit ec38b18e34
1 changed files with 30 additions and 7 deletions
--- a/src/password.js
+++ b/src/password.js
@@ -4,16 +4,39 @@ var path = require('path');

 var fork = require('./meta/debugFork');

-exports.hash = function (rounds, password, callback) {
+function hash(rounds, password, callback) {
 	forkChild({ type: 'hash', rounds: rounds, password: password }, callback);
-};
-
-exports.compare = function (password, hash, callback) {
-	if (!hash || !password) {
-		return setImmediate(callback, null, false);
 }
-	forkChild({ type: 'compare', password: password, hash: hash }, callback);
-};
+
+exports.hash = hash;
+
+var fakeHashCache;
+function getFakeHash(callback) {
+	if (fakeHashCache) {
+		return callback(null, fakeHashCache);
+	}
+
+	hash(12, Math.random().toString(), function (err, hash) {
+		if (err) {
+			return callback(err);
+		}
+
+		fakeHashCache = hash;
+		callback(null, fakeHashCache);
+	});
+}
+
+function compare(password, hash, callback) {
+	getFakeHash(function (err, fakeHash) {
+		if (err) {
+			return callback(err);
+		}
+
+		forkChild({ type: 'compare', password: password, hash: hash || fakeHash }, callback);
+	});
+}
+
+exports.compare = compare;

 function forkChild(message, callback) {
 	var child = fork(path.join(__dirname, 'bcrypt'));