From f92e96831c1e946eed3411140763e749b5017953 Mon Sep 17 00:00:00 2001
From: yusing <yusing.wys@gmail.com>
Date: Sun, 15 Feb 2026 20:02:19 +0800
Subject: [PATCH] fix(auth): reorder password validation to enhance security
 against timing attacks

- Always perform bcrypt comparison before checking the username to mitigate potential timing attack vulnerabilities.
---
 internal/auth/userpass.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/internal/auth/userpass.go b/internal/auth/userpass.go
index e9fc3343..8233665f 100644
--- a/internal/auth/userpass.go
+++ b/internal/auth/userpass.go
@@ -137,11 +137,12 @@ func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request)
 }
 
 func (auth *UserPassAuth) validatePassword(user, pass string) error {
-	if user != auth.username {
-		return ErrInvalidUsername
-	}
+	// always perform bcrypt comparison to avoid timing attacks
 	if err := bcrypt.CompareHashAndPassword(auth.pwdHash, []byte(pass)); err != nil {
 		return err
 	}
+	if user != auth.username {
+		return ErrInvalidUsername
+	}
 	return nil
 }