Commit
Harden auth: constant-time login + refresh token rotation
Commit details
Commit notes
Two auth weaknesses in the credential and session flow:
- Login user enumeration via timing. The login handler returned immediately when no account matched the email, but ran bcrypt (~tens of ms) when it did, so an attacker could distinguish registered from unregistered emails by response latency despite the identical "Invalid credentials" message. Now the handler always runs a bcrypt comparison — against a cached dummy hash when the account is missing — so timing no longer depends on account existence.
- Refresh tokens were rotated but not revoked. POST /auth/refresh issued a new refresh token while leaving the presented one valid until its natural expiry, so a leaked refresh token stayed usable indefinitely and token reuse went undetected. The endpoint now revokes the presented token when it issues the replacement, so a single refresh token cannot be reused after rotation.
[private session redacted]
- Files changed
- 1
- Lines added
- +36
- Lines removed
- −7