From 3875632c80e6b1b0d6e7002b83eaf821b37b07f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Voron?= <fvoron@kpi-intelligence.com>
Date: Fri, 25 Oct 2019 09:10:30 +0200
Subject: [PATCH] Run the anti-timing attack hash only when user is None

---
 fastapi_users/db/base.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/fastapi_users/db/base.py b/fastapi_users/db/base.py
index daf2ffcb..60384170 100644
--- a/fastapi_users/db/base.py
+++ b/fastapi_users/db/base.py
@@ -39,11 +39,10 @@ class BaseUserDatabase:
         """
         user = await self.get_by_email(credentials.username)
 
-        # Always run the hasher to mitigate timing attack
-        # Inspired from Django: https://code.djangoproject.com/ticket/20760
-        password.get_password_hash(credentials.password)
-
         if user is None:
+            # Run the hasher to mitigate timing attack
+            # Inspired from Django: https://code.djangoproject.com/ticket/20760
+            password.get_password_hash(credentials.password)
             return None
 
         verified, updated_password_hash = password.verify_and_update_password(