Run the anti-timing attack hash only when user is None

2025-11-02 12:21:53 +08:00 · 2019-10-25 09:10:30 +02:00
parent 7485f79fc5
commit 3875632c80
1 changed files with 3 additions and 4 deletions
--- a/fastapi_users/db/base.py
+++ b/fastapi_users/db/base.py
@ -39,11 +39,10 @@ class BaseUserDatabase:
        """
        user = await self.get_by_email(credentials.username)

-        # Always run the hasher to mitigate timing attack
-        # Inspired from Django: https://code.djangoproject.com/ticket/20760
-        password.get_password_hash(credentials.password)
-
        if user is None:
+            # Run the hasher to mitigate timing attack
+            # Inspired from Django: https://code.djangoproject.com/ticket/20760
+            password.get_password_hash(credentials.password)
            return None

        verified, updated_password_hash = password.verify_and_update_password(