fix(security): add username validation, constant-time login, default credential rejection, and tooling

2026-02-18 19:11:14 +01:00
parent 1521005b62
commit f41b8fd8c2
8 changed files with 393 additions and 1 deletions
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -58,7 +58,13 @@ def login(
    """
    user = db.query(User).filter(User.username == form_data.username).first()

-    if user is None or not verify_password(form_data.password, user.hashed_password):
+    # Constant-time comparison: always run bcrypt verify to prevent
+    # timing-based user enumeration (SEC-005).
+    _DUMMY_HASH = "$2b$12$LJ3m4ys3Lg3dMO/NpNmOaeVwFpWJMxlB2FLmEAo9fZr.S8H1vC4Wy"
+    hashed = user.hashed_password if user else _DUMMY_HASH
+    password_valid = verify_password(form_data.password, hashed)
+
+    if user is None or not password_valid:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Incorrect username or password",