mapleopentech/monorepo
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit: Open sourcing all of the Maple Open Technologies code.

Browse source
This commit is contained in:
Bartlomiej Mika 2025-12-02 14:33:08 -05:00
commit 755d54a99d
2010 changed files with 448675 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

44
cloud/maplepress-backend/pkg/security/password/timing.go Normal file
View file

@ -0,0 +1,44 @@
// File Path: monorepo/cloud/maplepress-backend/pkg/security/password/timing.go
package password
import (
"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/security/securestring"
)
// DummyPasswordHash is a pre-computed valid Argon2id hash used for timing attack mitigation
// This hash is computed with the same parameters as real password hashes
// CWE-208: Observable Timing Discrepancy - Prevents user enumeration via timing attacks
const DummyPasswordHash = "$argon2id$v=19$m=65536,t=3,p=2$c29tZXJhbmRvbXNhbHQxMjM0$kixiIQQ/y8E7dSH0j8p8KPBUlCMUGQOvH2kP7XYPkVs"
// ComparePasswordWithDummy performs password comparison but always uses a dummy hash
// This is used when a user doesn't exist to maintain constant time behavior
// CWE-208: Observable Timing Discrepancy - Mitigates timing-based user enumeration
func (p *passwordProvider) ComparePasswordWithDummy(password *securestring.SecureString) error {
// Perform the same expensive operation (Argon2 hashing) even for non-existent users
// This ensures the timing is constant regardless of whether the user exists
_, _ = p.ComparePasswordAndHash(password, DummyPasswordHash)
// Always return false (user doesn't exist, so authentication always fails)
// The important part is that we spent the same amount of time
return nil
}
// TimingSafeCompare performs a timing-safe password comparison
// It always performs the password hashing operation regardless of whether
// the user exists or the password matches
// CWE-208: Observable Timing Discrepancy - Prevents timing attacks
func TimingSafeCompare(provider PasswordProvider, password *securestring.SecureString, hash string, userExists bool) (bool, error) {
if !userExists {
// User doesn't exist - perform dummy hash comparison to maintain constant time
if pp, ok := provider.(*passwordProvider); ok {
_ = pp.ComparePasswordWithDummy(password)
} else {
// Fallback if type assertion fails
_, _ = provider.ComparePasswordAndHash(password, DummyPasswordHash)
}
return false, nil
}
// User exists - perform real comparison
return provider.ComparePasswordAndHash(password, hash)
}