fix: prevent username enumeration via login timing attack

[rotarymars]

Description

Creating a safer login system.
This tries to make the return speed consistent regardless of whether the username exists or not.

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 📝 Documentation update
• 🎨 Style/UI change
• ♻️ Refactor (no functional changes)
• 🔧 Configuration change

Changes Made

• Added a dummy hash check

Testing

• Tested locally with npm run dev
• Build passes (npm run build)
• Lint passes (npm run lint)

Screenshots (if applicable)

Checklist

• My code follows the project's coding style
• I have performed a self-review of my code
• I have commented my code where necessary
• My changes generate no new warnings
• Any dependent changes have been merged and published

Related Issues

Summary by CodeRabbit

Bug Fixes

• Improved authentication security by implementing consistent response timing during login validation, preventing potential vulnerabilities from timing-based analysis
• Enhanced signup reliability by updating password hashing to asynchronous processing, ensuring credentials are properly stored before user registration completes

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
kss-it-committee-github-io	Ready	Preview, Comment	Mar 19, 2026 1:02am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fb24589d-81c4-4860-ae62-28e590ee9f90

📥 Commits

Reviewing files that changed from the base of the PR and between 646cf73 and 48859ff.

📒 Files selected for processing (2)

• src/app/api/auth/login/route.ts
• src/app/api/auth/signup/route.ts

---

📝 Walkthrough

Walkthrough

The changes enhance authentication security by implementing timing-attack resistance in the login endpoint through constant-time bcrypt comparison and converting synchronous password hashing to asynchronous in the signup endpoint. Both modifications improve the security posture of the auth system.

Changes

Cohort / File(s)	Summary
Login Timing-Attack Resistance src/app/api/auth/login/route.ts	Implements constant-time password verification by always performing bcrypt comparison regardless of whether user exists, comparing against a dummy hash when user is not found. Updates credential validation to treat missing users and failed password comparisons as unified authentication failures.
Async Password Hashing src/app/api/auth/signup/route.ts	Converts password hashing from synchronous bcrypt.hashSync() to asynchronous await bcrypt.hash(), ensuring the promise resolves before proceeding with user creation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Through authentication's winding path I hop,
Timing attacks? They simply cannot stop!
Async hashing makes the passwords bloom,
Security strengthened in the login room! 🔐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix: preventing username enumeration via login timing attack. It directly matches the primary objective of making login response timing consistent.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/login-timing-attack

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can generate a title for your PR based on the changes with custom instructions.

Set the reviews.auto_title_instructions setting to generate a title for your PR based on the changes in the PR with custom instructions.