security(auth): harmonize response times for token creation #162

New issue

Open

opened 2026-04-22 06:47:22 +00:00 by chartgerink · 0 comments

chartgerink commented 2026-04-22 06:47:22 +00:00

Owner

Copy link

When logging in or requesting a password reset, the response times are variable based on whether a user exists or not. In order to reduce enumeration attacks (CWE-204: Observable Response Discrepancy).

This requires creating a pseudo-token to ensure the response times are harmonized.

When logging in or requesting a password reset, the response times are variable based on whether a user exists or not. In order to reduce enumeration attacks (CWE-204: Observable Response Discrepancy). This requires creating a pseudo-token to ensure the response times are harmonized.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

add/lang-type-license

fix/92

add/frontend

2.2.4

2.2.3

2.2.2

2.2.1

2.2.0

2.1.0

2.0.0

Labels

Clear labels   

bug

Something is not working

  

critical

issues that are blocking other work, high importance + urgent

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

future

Not on the docket right now. Keeping the issue for future work.

  

help wanted

Need some help

  

invalid

Something is wrong

  

MAJOR

  

MINOR

  

PATCH

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

critical

duplicate

enhancement

future

help wanted

invalid

MAJOR

MINOR

PATCH

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

researchequals/api#162

No description provided.