python/fastapi-users
1
0
Fork 0
mirror of https://github.com/fastapi-users/fastapi-users.git synced 2025-11-08 08:56:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Run the anti-timing attack hash only when user is None

Browse Source
This commit is contained in:
François Voron
2019-10-25 09:10:30 +02:00
parent 7485f79fc5
commit 3875632c80
1 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
fastapi_users/db/base.py
View File

@ -39,11 +39,10 @@ class BaseUserDatabase:
""" """
user = await self.get_by_email(credentials.username) user = await self.get_by_email(credentials.username)
# Always run the hasher to mitigate timing attack if user is None:
# Run the hasher to mitigate timing attack
# Inspired from Django: https://code.djangoproject.com/ticket/20760 # Inspired from Django: https://code.djangoproject.com/ticket/20760
password.get_password_hash(credentials.password) password.get_password_hash(credentials.password)
if user is None:
return None return None
verified, updated_password_hash = password.verify_and_update_password( verified, updated_password_hash = password.verify_and_update_password(