userService.Authenticate
in models has a timing side-channel which reveals registered users due to the early return if the us.ByEmail
call returns a non-nil error.
This leaks information about which users are registered. Authenticate
returns the same error (ErrInvalidLogin
) for not-found email address and for incorrect password, so fixing this side-channel and issue #1 will stop this leakage of user information. See OWASP's cheat sheet for more details.
Don't have an early exit in Authenticate
, as shown in the OWASP cheat sheet:
password_hash=HASH(password)
IS_VALID=LOOKUP_CREDENTIALS_IN_STORE(username, password_hash)
IF NOT IS_VALID THEN
RETURN Error("Invalid Username or Password!")
ENDIF
Before production.
This is not experience-breaking, and a very common side-channel which would be difficult to measure anyway due to variable latency and network speeds.