Files
immich/server
timonrieger 8011adadb6 fix(server): prevent login timing oracle by always running bcrypt
Always call compareBcrypt in the login path regardless of whether the
email is registered. When no user is found, a dummy hash is used so the
bcrypt KDF still runs and response latency is constant, making it
impossible to enumerate valid email addresses by measuring response time.
2026-04-30 11:54:00 +02:00
..