Make it impossible to know if an username is used or not with the API

This commit is contained in:
Baptiste Gelez 2018-10-23 10:50:52 +01:00
parent 0dbf9f519e
commit 647a5af070

View file

@ -35,12 +35,16 @@ fn oauth(query: OAuthRequest, conn: DbConn) -> Json<serde_json::Value> {
}))
} else {
Json(json!({
"error": "Wrong password"
"error": "Invalid credentials"
}))
}
} else {
// Making fake password verification to avoid different
// response times that would make it possible to know
// if a username is registered or not.
User::get(&*conn, 1).unwrap().auth(query.password);
Json(json!({
"error": "Unknown user"
"error": "Invalid credentials"
}))
}
} else {