search

LukeMathWalker / zero-to-production

Code for "Zero To Production In Rust", a book on API development using Rust.
https://www.zero2prod.com
Apache License 2.0
5.86k stars 519 forks source link

10.2.5 `unknown username` won't be returned #253

Open indirection42 opened 9 months ago

indirection42 commented 9 months ago

Since we use a default PHC string to make the verifying time-constant, the actual Unknown Username case will be early returned as Invalid password.

    spawn_blocking_with_tracing(move || {
        verify_password_hash(expected_password_hash, credentials.password)
    })
    .await 
    // early return
    .context("Failed to spawn blocking task.")??;
    user_id
        // dead code
        .ok_or_else(|| anyhow::anyhow!("Unknown username."))
        .map_err(AuthError::InvalidCredentials)