https://www.ory.sh/ logo
Powered by
s

some-scooter-3723

03/02/2022, 6:34 PM
hello, I found 1 time sleep below which I don't know why we need it, can someone explain? Thanks so much. selfservice/strategy/password/login.go
Copy code
i, c, err := s.d.PrivilegedIdentityPool().FindByCredentialsIdentifier(r.Context(), s.ID(), p.Identifier)
    if err != nil {
        time.Sleep(x.RandomDelay(s.d.Config(r.Context()).HasherArgon2().ExpectedDuration, s.d.Config(r.Context()).HasherArgon2().ExpectedDeviation))
        return nil, s.handleLoginError(w, r, f, &p, errors.WithStack(schema.NewInvalidCredentialsError()))
    }
m

magnificent-energy-493

03/03/2022, 10:19 AM
Maybe @User can answer that question? I am not sure.
s

steep-lamp-91158

03/03/2022, 10:25 AM
the problem here is that it would allow for side-channel attacks by figuring out if the account exists based on response time
s

some-scooter-3723

03/03/2022, 11:05 AM
Ah, got it, thank @User
2 Views
Powered by