From 7558046e757640e99614aa88df4998bdb362d16b Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 11 Jul 2018 16:28:33 -0400
Subject: [PATCH] add brute-force protection for change password and email
 actions

---
 src/user/password.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/user/password.js b/src/user/password.js
index d644fd2e8f..bf39d029d0 100644
--- a/src/user/password.js
+++ b/src/user/password.js
@@ -33,7 +33,16 @@ module.exports = function (User) {
 			function (next) {
 				Password.compare(password, hashedPassword, next);
 			},
-		], callback);
+		], function (err, ok) {
+			if (err) {
+				return callback(err);
+			}
+
+			// Delay return for incorrect current password
+			setTimeout(function () {
+				callback(null, ok);
+			}, ok ? 0 : 2500);
+		});
 	};
 
 	User.hasPassword = function (uid, callback) {