add brute-force protection for change password and email actions

2026-02-22 22:50:53 +01:00 · 2018-07-11 16:28:33 -04:00
parent d0c22c5bd3
commit 7558046e75
1 changed files with 10 additions and 1 deletions
--- a/src/user/password.js
+++ b/src/user/password.js
@@ -33,7 +33,16 @@ module.exports = function (User) {
 			function (next) {
 				Password.compare(password, hashedPassword, next);
 			},
-		], callback);
+		], function (err, ok) {
+			if (err) {
+				return callback(err);
+			}
+
+			// Delay return for incorrect current password
+			setTimeout(function () {
+				callback(null, ok);
+			}, ok ? 0 : 2500);
+		});
 	};

 	User.hasPassword = function (uid, callback) {