fix: Normalize login response timing to prevent user enumeration

mtrezza · mtrezza · commit 06cfc047d21b · 2026-04-05T13:29:18.000+01:00
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -82,6 +82,32 @@ describe('Parse.User testing', () => {
     }
   });
 
+  it('normalizes login response time for non-existent and existing users', async () => {
+    const passwordCrypto = require('../lib/password');
+    const compareSpy = spyOn(passwordCrypto, 'compare').and.callThrough();
+    await Parse.User.signUp('existinguser', 'password123');
+    compareSpy.calls.reset();
+
+    // Login with non-existent user
+    try {
+      await Parse.User.logIn('nonexistentuser', 'wrongpassword');
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    }
+    // bcrypt.compare should have been called even for non-existent user
+    expect(compareSpy).toHaveBeenCalledTimes(1);
+    compareSpy.calls.reset();
+
+    // Login with existing user but wrong password
+    try {
+      await Parse.User.logIn('existinguser', 'wrongpassword');
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    }
+    // bcrypt.compare should have been called for existing user
+    expect(compareSpy).toHaveBeenCalledTimes(1);
+  });
+
   it('logs username taken with configured log level', async () => {
     await reconfigureServer({ logLevels: { signupUsernameTaken: 'warn' } });
     const logger = require('../lib/logger').default;
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -108,7 +108,13 @@ export class UsersRouter extends ClassesRouter {
         .find('_User', query, {}, Auth.maintenance(req.config))
         .then(results => {
           if (!results.length) {
-            throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
+            // Perform a dummy bcrypt compare to normalize response timing,
+            // preventing user enumeration via timing side-channel
+            return passwordCrypto
+              .compare(password, passwordCrypto.dummyHash)
+              .then(() => {
+                throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
+              });
           }
 
           if (results.length > 1) {
diff --git a/src/password.js b/src/password.js
@@ -27,7 +27,13 @@ function compare(password, hashedPassword) {
   return bcrypt.compare(password, hashedPassword);
 }
 
+// Pre-computed bcrypt hash (cost factor 10) used for timing normalization.
+// The actual value is irrelevant; it ensures bcrypt.compare() runs with
+// realistic cost even when no real password hash is available.
+const dummyHash = '$2b$10$Wd1gvrMYPnQv5pHBbXCwCehxXmJSEzRqNON0ev98L6JJP5296S35i';
+
 module.exports = {
   hash: hash,
   compare: compare,
+  dummyHash: dummyHash,
 };
