Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid leaking user existence info #180

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

1fexd
Copy link

@1fexd 1fexd commented May 5, 2024

An attempt to fix #179 by returning a fake user instead of an error when no user with the requested username exists

FAKE_USER_COUNT = 1000


def fake_user(username: str) -> UserType:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a good idea, but this is unfortunately not effective.

The returned user id is random every time, so just hit this API twice to check for existence. Additionally, I haven't had the time to analyze the using of static pubkeys/salts but I'm concerned that may have issues too.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The returned user id is random every time, so just hit this API twice to check for existence.

Oh, you are absolutely right, didn't think of that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Login endpoints leaks info about the existence of users
2 participants