mirror of
https://github.com/immich-app/immich.git
synced 2026-05-18 03:10:24 +03:00
8011adadb6
Always call compareBcrypt in the login path regardless of whether the email is registered. When no user is found, a dummy hash is used so the bcrypt KDF still runs and response latency is constant, making it impossible to enumerate valid email addresses by measuring response time.