ecton
commented
2 years ago I've finally spent some time looking into this rather than just thinking about it.
I'm curious how much of a statistical significance the difference in the response time to the login_with_password request takes. The only difference is the deserialization of the user record itself.
I'm not sure how we can make the lookup constant time without caching the entire user set in memory, which isn't feasible for our hypothetical idea of hosting an MMO -- millions of potential players, I know I wouldn't want to dedicate that much RAM.
I agree with the idea that we should add an artificial delay on all responses, perhaps self-tuning based on measuring the average response time to looking up a user record.
Great suggestion.
daxpedda
To protect against client-enumeration attacks, it is useful to sometimes build a custom delay when registering or logging in. This is far from ideal and I believe would be better served by the database.
I'm unaware if this is something an other DB implements, but I think it would be incredibly unique and useful.
So the goal is to provide an API to query login data, but the time it takes should always be the same, even if the account doesn't exist. I think this feature would be useful in a couple of other use-cases, but I don't believe it's necessary to expand the scope of this any further, e.g. more complex queries.