[PR #8068] [CLOSED] fix(security): improve account enumeration protection on email sign-in #7724

New Issue

GiteaMirror · 2026-03-13T13:47:16-05:00

GiteaMirror commented

2026-03-13 13:47:16 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/8068
Author: @Oluwatobi-Mustapha
Created: 2/19/2026
Status: ❌ Closed

Base: canary ← Head: fix/m4-signin-timing-leak

📝 Commits (4)

33f1f09 fix(security): prevent timing attack in sign-in [MEDIUM]
a3953a5 test: add timing attack protection test
2a1467d Merge branch 'canary' into fix/m4-signin-timing-leak
975fa32 Merge branch 'canary' into fix/m4-signin-timing-leak

📊 Changes

2 files changed (+74 additions, -32 deletions)

View changed files

📝 packages/better-auth/src/api/routes/sign-in.test.ts (+57 -0)
📝 packages/better-auth/src/api/routes/sign-in.ts (+17 -32)

📄 Description

Description

Problem

Sign-in endpoint leaks account state through timing differences, enabling account enumeration.

Timing Leak:

User doesn't exist: ~100ms (hash dummy password)
User exists, no credential account: ~100ms (hash dummy password)
User exists, wrong password: ~100ms (verify password)
Valid credentials: ~100ms (verify password)

BUT the code path differences create measurable timing variations that reveal:

Whether an email is registered
Whether account has password authentication
Account authentication method

Attack: Attacker measures response times across thousands of requests to enumerate valid accounts.

Solution

Refactor to ensure constant-time execution:

Fetch all data upfront (no early returns)
Always perform exactly ONE crypto operation
Single validation check at the end
Generic error message for all failures

Result: All failure paths take ~100ms regardless of reason.

Impact

Severity: MEDIUM
Exploitability: High (automated timing analysis)
Scope: All email/password sign-in attempts

Testing

Verified timing consistency across failure scenarios
Confirmed no information leak in error messages
Tested valid/invalid credentials still work correctly

Security Considerations

This eliminates timing side-channels that could reveal account existence. All authentication failures now have identical timing characteristics.

Reviewer Focus:

Verify single crypto operation per code path
Check no early returns before final validation
Confirm error messages don't leak account state

Summary by cubic

Prevents account enumeration by making email/password sign-in responses constant-time. All failure paths now share the same code path, timing, and error.

Bug Fixes
- Perform exactly one crypto operation per request (verify if a hash exists, else hash).
- Combine all checks into a single final validation; no early returns.
- Return a generic "Invalid credentials" error and log once without leaking account state.
- Add a timing test comparing non-existent user vs. wrong password to enforce consistent latency.

^{Written for commit 975fa32365. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/8068 **Author:** [@Oluwatobi-Mustapha](https://github.com/Oluwatobi-Mustapha) **Created:** 2/19/2026 **Status:** ❌ Closed **Base:** `canary` ← **Head:** `fix/m4-signin-timing-leak` --- ### 📝 Commits (4) - [`33f1f09`](https://github.com/better-auth/better-auth/commit/33f1f097158ca3f44c19028f40855bc85241675f) fix(security): prevent timing attack in sign-in [MEDIUM] - [`a3953a5`](https://github.com/better-auth/better-auth/commit/a3953a503859f89be11874eb2fe1b4e7f8943ca8) test: add timing attack protection test - [`2a1467d`](https://github.com/better-auth/better-auth/commit/2a1467ded2a2405e1020660f596a8c0fde35228a) Merge branch 'canary' into fix/m4-signin-timing-leak - [`975fa32`](https://github.com/better-auth/better-auth/commit/975fa323655e4482bd0f59254e2f6c2ccd0ef26f) Merge branch 'canary' into fix/m4-signin-timing-leak ### 📊 Changes **2 files changed** (+74 additions, -32 deletions) <details> <summary>View changed files</summary> 📝 `packages/better-auth/src/api/routes/sign-in.test.ts` (+57 -0) 📝 `packages/better-auth/src/api/routes/sign-in.ts` (+17 -32) </details> ### 📄 Description ## Description ### Problem Sign-in endpoint leaks account state through timing differences, enabling account enumeration. **Timing Leak:** - User doesn't exist: ~100ms (hash dummy password) - User exists, no credential account: ~100ms (hash dummy password) - User exists, wrong password: ~100ms (verify password) - Valid credentials: ~100ms (verify password) **BUT** the code path differences create measurable timing variations that reveal: - Whether an email is registered - Whether account has password authentication - Account authentication method **Attack:** Attacker measures response times across thousands of requests to enumerate valid accounts. ### Solution Refactor to ensure constant-time execution: 1. Fetch all data upfront (no early returns) 2. Always perform exactly ONE crypto operation 3. Single validation check at the end 4. Generic error message for all failures **Result:** All failure paths take ~100ms regardless of reason. ### Impact - **Severity:** MEDIUM - **Exploitability:** High (automated timing analysis) - **Scope:** All email/password sign-in attempts ### Testing - [ ] Verified timing consistency across failure scenarios - [ ] Confirmed no information leak in error messages - [ ] Tested valid/invalid credentials still work correctly ### Security Considerations This eliminates timing side-channels that could reveal account existence. All authentication failures now have identical timing characteristics. --- **Reviewer Focus:** - Verify single crypto operation per code path - Check no early returns before final validation - Confirm error messages don't leak account state  --- ## Summary by cubic Prevents account enumeration by making email/password sign-in responses constant-time. All failure paths now share the same code path, timing, and error. - **Bug Fixes** - Perform exactly one crypto operation per request (verify if a hash exists, else hash). - Combine all checks into a single final validation; no early returns. - Return a generic "Invalid credentials" error and log once without leaking account state. - Add a timing test comparing non-existent user vs. wrong password to enforce consistent latency. <sup>Written for commit 975fa323655e4482bd0f59254e2f6c2ccd0ef26f. Summary will update on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-13 13:47:16 -05:00

GiteaMirror closed this issue

2026-03-13 13:47:16 -05:00

GiteaMirror referenced this issue

2026-03-13 13:52:49 -05:00

[PR #8336] feat(api-key): support additional fields in api key schema - Take 2 #7907

GiteaMirror referenced this issue

2026-04-13 07:15:44 -05:00

[GH-ISSUE #7724] Add support for `additionalFields` to `api-key` plugin #10885

GiteaMirror referenced this issue

2026-04-13 10:13:06 -05:00

[PR #7744] [MERGED] feat(api-key): support additional fields in api key schema #15776

GiteaMirror referenced this issue

2026-04-13 10:24:45 -05:00

[PR #8336] feat(api-key): support additional fields in api key schema - Take 2 #16153

GiteaMirror referenced this issue

2026-04-15 18:43:55 -05:00

[GH-ISSUE #7724] Add support for `additionalFields` to `api-key` plugin #19516

GiteaMirror referenced this issue

2026-04-15 22:21:57 -05:00

[PR #7744] [MERGED] feat(api-key): support additional fields in api key schema #24430

GiteaMirror referenced this issue

2026-04-15 22:34:10 -05:00

[PR #8336] feat(api-key): support additional fields in api key schema - Take 2 #24807

GiteaMirror referenced this issue

2026-04-17 19:39:32 -05:00

[GH-ISSUE #7724] Add support for `additionalFields` to `api-key` plugin #28208

GiteaMirror referenced this issue

2026-04-17 23:47:57 -05:00

[PR #7744] [MERGED] feat(api-key): support additional fields in api key schema #33130

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#7724