c076f0f2e1
Previously authenticating a user could take significantly longer than determining that a user does not exist. This was due to the fact that only users that were found would use the password encoder and comparing a password can take a significant amount of time. The difference in the time required could allow a side channel attack that reveals if a user exists. The code has been updated to do comparison against a dummy password even when the the user was not found. |
||
|---|---|---|
| .. | ||
| src | ||
| core.gradle | ||
| template.mf | ||