The & operator is actually used deliberately here - the && operator shortcuts, which means that credential checking code using it is inherently vulnerable to timing attacks, which is why I never use it in the docs (and also not in the implementation for constant users for that matter)
The
&
operator is actually used deliberately here - the&&
operator shortcuts, which means that credential checking code using it is inherently vulnerable to timing attacks, which is why I never use it in the docs (and also not in the implementation for constant users for that matter)