fix(account): Account enumeration timing attack

pennersr · Mar 31, 2023 · 6acb0dc · 6acb0dc
1 parent 367865f
commit 6acb0dc
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/allauth/account/auth_backends.py b/allauth/account/auth_backends.py
@@ -36,10 +36,14 @@ def _authenticate_by_username(self, **credentials):
         try:
             # Username query is case insensitive
             user = filter_users_by_username(username).get()
-            if self._check_password(user, password):
-                return user
         except User.DoesNotExist:
+            # Run the default password hasher once to reduce the timing
+            # difference between an existing and a nonexistent user.
+            get_user_model()().set_password(password)
             return None
+        else:
+            if self._check_password(user, password):
+                return user
 
     def _authenticate_by_email(self, **credentials):
         # Even though allauth will pass along `email`, other apps may