fix: don't reveal whether a user exists

cli/src/routes.rs

@@ -96,7 +96,7 @@ pub async fn login(
                 _ => Ok(HttpResponse::Ok().json(json!({ "key": token }))),
             }
         }
-        Err(e) => Err(ErrorUnauthorized(e)),
+        Err(_) => Err(ErrorUnauthorized("Invalid credentials.")),
     }
 }
 

db/src/lib.rs

@@ -314,13 +314,21 @@ impl UpEndConnection {
             .filter(dsl::username.eq(username))
             .load::<models::UserValue>(&conn)?;
 
-        let user = user_result.first().ok_or(anyhow!("User not found"))?;
-
-        let parsed_hash = PasswordHash::new(&user.password).map_err(|e| anyhow!(e))?;
-        let argon2 = Argon2::default();
-        argon2
-            .verify_password(password.as_ref(), &parsed_hash)
-            .map_err(|e| anyhow!(e))
+        match user_result.first() {
+            Some(user) => {
+                let parsed_hash = PasswordHash::new(&user.password).map_err(|e| anyhow!(e))?;
+                let argon2 = Argon2::default();
+                argon2
+                    .verify_password(password.as_ref(), &parsed_hash)
+                    .map_err(|e| anyhow!(e))
+            }
+            None => {
+                let argon2 = Argon2::default();
+                let _ = argon2
+                    .verify_password(password.as_ref(), &PasswordHash::new(&DUMMY_HASH).unwrap());
+                Err(anyhow!("user not found"))
+            }
+        }
     }
 
     pub fn retrieve_entry(&self, hash: &UpMultihash) -> Result<Option<Entry>> {
@@ -538,6 +546,16 @@ impl UpEndConnection {
     }
 }
 
+lazy_static! {
+    static ref DUMMY_HASH: String = Argon2::default()
+        .hash_password(
+            "password".as_ref(),
+            &password_hash::SaltString::generate(&mut password_hash::rand_core::OsRng)
+        )
+        .unwrap()
+        .to_string();
+}
+
 #[cfg(test)]
 mod test {
     use upend_base::constants::{ATTR_IN, ATTR_LABEL};