make sure login delay is long enough to prevent email guessing

2026-02-06 09:56:05 +00:00 · 2024-12-18 14:55:50 +01:00 · 2024-12-18 14:55:50 +01:00 · 53ce67ce92
commit 53ce67ce92
parent c7e24b4b82
2 changed files with 15 additions and 1 deletions
--- a/backend/src/graphql/resolver/UserResolver.ts
+++ b/backend/src/graphql/resolver/UserResolver.ts
@ -86,6 +86,7 @@ import { setUserRole, deleteUserRole } from './util/modifyUserRole'
 import { sendUserToGms } from './util/sendUserToGms'
 import { syncHumhub } from './util/syncHumhub'
 import { validateAlias } from './util/validateAlias'
+import { delay } from '@/util/utilities'

 const LANGUAGES = ['de', 'en', 'es', 'fr', 'nl']
 const DEFAULT_LANGUAGE = 'de'
@ -150,7 +151,16 @@ export class UserResolver {
  ): Promise<User> {
    logger.info(`login with ${email}, ***, ${publisherId} ...`)
    email = email.trim().toLowerCase()
-    const dbUser = await findUserByEmail(email)
+    let dbUser: DbUser
+
+    try {
+      dbUser = await findUserByEmail(email)
+    } catch (e) {
+      // simulate delay which occur on password encryption 650 ms +- 50 rnd
+      await delay(650 + Math.floor(Math.random() * 101) - 50)
+      throw e
+    }
+
    if (dbUser.deletedAt) {
      throw new LogError('This user was permanently deleted. Contact support for questions', dbUser)
    }
--- a/backend/src/util/utilities.ts
+++ b/backend/src/util/utilities.ts
@ -1,3 +1,5 @@
+import { promisify } from 'util'
+
 import { Decimal } from 'decimal.js-light'
 import i18n from 'i18n'

@ -30,6 +32,8 @@ export function resetInterface<T extends Record<string, any>>(obj: T): T {
  return obj
 }

+export const delay = promisify(setTimeout)
+
 export const ensureUrlEndsWithSlash = (url: string): string => {
  return url.endsWith('/') ? url : url.concat('/')
 }