User Enumeration

Make sure all login code-paths take about the same time on average. For instance, perform time-consuming operations like password-hashing even when you know the username is wrong.

Code not vulnerable to a timing attack

   app.post('/login', (request, response) => {
  const user = getUser(request.params.username)

  // Calculate the password hash regardless of whether the username exists,
  // so the attacker cannot use timing attacks to detect which users exist
  // in the database.
  const passwordHash = user ? user.hashedPassword : ''

  bcrypt.compare(request.params.password, passwordHash, (error, matched) => {
    if (user && matched) {
      request.session.username = username
      self.redirect('/')
    }
    else {
      response.status(401)
    }
  })
}) 