refactor(timing-attack): simplify by removing configurable delay

maxdinech · maxdinech · commit 69aeedc2b2c3 · 2025-12-03T14:40:12.000+01:00
- Remove GOTRUE_SECURITY_TIMING_OBFUSCATION_DELAY config option
- Keep bcrypt-based timing obfuscation (provides ~100ms constant time)
- Simplify implementation while maintaining protection against basic timing attacks
diff --git a/example.env b/example.env
@@ -244,7 +244,6 @@ GOTRUE_LOG_LEVEL="debug"
 GOTRUE_SECURITY_REFRESH_TOKEN_ROTATION_ENABLED="false"
 GOTRUE_SECURITY_REFRESH_TOKEN_REUSE_INTERVAL="0"
 GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_REAUTHENTICATION="false"
-GOTRUE_SECURITY_TIMING_OBFUSCATION_DELAY="0"
 GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_CURRENT_PASSWORD="false"
 GOTRUE_OPERATOR_TOKEN="unused-operator-token"
 GOTRUE_RATE_LIMIT_HEADER="X-Forwarded-For"
diff --git a/internal/api/token.go b/internal/api/token.go
@@ -3,7 +3,6 @@ package api
 import (
 	"context"
 	"net/http"
-	"time"
 
 	"github.com/gofrs/uuid"
 
@@ -40,11 +39,9 @@ const InvalidLoginMessage = "Invalid login credentials"
 const dummyPasswordHash = "$2a$10$JUbiChr4qVqzEEHDLbRmgOvGTUajEl0g6JJjOzN.drbF9oX.iL/sq"
 
 // performDummyPasswordVerification prevents user enumeration via timing attacks
+// by performing a bcrypt comparison even when user is not found
 func (a *API) performDummyPasswordVerification(ctx context.Context, password string) {
 	_ = crypto.CompareHashAndPassword(ctx, dummyPasswordHash, password)
-	if delayMs := a.config.Security.TimingObfuscationDelay; delayMs > 0 {
-		time.Sleep(time.Duration(delayMs) * time.Millisecond)
-	}
 }
 
 // Token is the endpoint for OAuth access token requests
diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go
@@ -731,7 +731,6 @@ type SecurityConfiguration struct {
 	UpdatePasswordRequireReauthentication bool                 `json:"update_password_require_reauthentication" split_words:"true"`
 	UpdatePasswordRequireCurrentPassword  bool                 `json:"update_password_require_current_password" split_words:"true" default:"false"`
 	ManualLinkingEnabled                  bool                 `json:"manual_linking_enabled" split_words:"true" default:"false"`
-	TimingObfuscationDelay                int                  `json:"timing_obfuscation_delay" split_words:"true" default:"0"`
 
 	DBEncryption DatabaseEncryptionConfiguration `json:"database_encryption" split_words:"true"`
 }

Original file line number	Diff line number	Diff line change
`@@ -731,7 +731,6 @@ type SecurityConfiguration struct {`
`731`	`731`	UpdatePasswordRequireReauthentication bool `json:"update_password_require_reauthentication" split_words:"true"`
`732`	`732`	UpdatePasswordRequireCurrentPassword bool `json:"update_password_require_current_password" split_words:"true" default:"false"`
`733`	`733`	ManualLinkingEnabled bool `json:"manual_linking_enabled" split_words:"true" default:"false"`
`734`		- TimingObfuscationDelay int `json:"timing_obfuscation_delay" split_words:"true" default:"0"`
`735`	`734`
`736`	`735`	DBEncryption DatabaseEncryptionConfiguration `json:"database_encryption" split_words:"true"`
`737`	`736`	`}`