jakubmanczak
5a92740785
Information on whether a user with a given handle exists or not could be collected by checking the difference between response times of auth-required endpoints with and without a real handle being passed into Basic auth. This is because the time-expensive password hash would only be computed for users that exist, lengthening the response time. In local testing, this was a difference of 8ms vs. 35-60ms. A hash is now computed even if a user with the requested handle doesn't exist, mitigating the issue and leaving only negligible differences inbetween all response times, from which no information can be obtained.