userService.Authenticate in models has a timing side-channel which reveals registered users due to the early return if the
us.ByEmail call returns a non-nil error.
This leaks information about which users are registered.
Authenticate returns the same error (
ErrInvalidLogin) for not-found email address and for incorrect password, so fixing this side-channel and issue #1 will stop this leakage of user information. See OWASP's cheat sheet for more details.
Don't have an early exit in
Authenticate, as shown in the OWASP cheat sheet:
password_hash=HASH(password) IS_VALID=LOOKUP_CREDENTIALS_IN_STORE(username, password_hash) IF NOT IS_VALID THEN RETURN Error("Invalid Username or Password!") ENDIF
This is not experience-breaking, and a very common side-channel which would be difficult to measure anyway due to variable latency and network speeds.