Avoid leaking user existence info

2024-09-20 04:42:26 +02:00 · 2024-05-05 13:39:27 +02:00 · 2024-05-05 13:39:27 +02:00 · 886a5621f0
commit 886a5621f0
parent 6b66ec16d5
1 changed files with 25 additions and 4 deletions
--- a/etebase_server/fastapi/routers/authentication.py
+++ b/etebase_server/fastapi/routers/authentication.py
@ -1,3 +1,4 @@
+import random
 import typing as t
 from typing_extensions import Literal
 from datetime import datetime
@ -122,16 +123,36 @@ def get_login_user(request: Request, challenge: LoginChallengeIn) -> UserType:
            raise AuthenticationFailed(code="user_not_init", detail="User not properly init")
        return user
    except User.DoesNotExist:
-        raise AuthenticationFailed(code="user_not_found", detail="User not found")
+        return fake_user(username)


-def get_encryption_key(salt: bytes):
+FAKE_USER_COUNT = 1000
+
+
+def fake_user(username: str) -> UserType:
+    username_bytes = bytes(username, encoding="utf-8")
+    login_pubkey = get_encryption_key(b"", b"loginPubkey", username_bytes)[:32]
+    salt = get_encryption_key(b"", b"salt", username_bytes)[:16]
+
+    user = User()
+    user.username = username
+    user.id = random.Random(settings.SECRET_KEY + username).randint(0, FAKE_USER_COUNT)
+
+    userinfo = UserInfo()
+    userinfo.loginPubkey = login_pubkey
+    userinfo.salt = salt
+
+    user.userinfo = userinfo
+    return user
+
+
+def get_encryption_key(salt: bytes, person=b"etebase-auth", data: bytes = b""):
    key = nacl.hash.blake2b(settings.SECRET_KEY.encode(), encoder=nacl.encoding.RawEncoder)
    return nacl.hash.blake2b(
-        b"",
+        data=data,
        key=key,
        salt=salt[: nacl.hash.BLAKE2B_SALTBYTES],
-        person=b"etebase-auth",
+        person=person,
        encoder=nacl.encoding.RawEncoder,
    )