From ec38b18e34cbb210b9b721291fd8df9b11392979 Mon Sep 17 00:00:00 2001
From: Peter Jaszkowiak <p.jaszkow@gmail.com>
Date: Wed, 1 Nov 2017 18:57:52 -0600
Subject: [PATCH] Always compare password with a hash

Prevents quick response when user / email doesn't exist
---
 src/password.js | 37 ++++++++++++++++++++++++++++++-------
 1 file changed, 30 insertions(+), 7 deletions(-)

diff --git a/src/password.js b/src/password.js
index 6cc1e1776a..439c0592d7 100644
--- a/src/password.js
+++ b/src/password.js
@@ -4,16 +4,39 @@ var path = require('path');
 
 var fork = require('./meta/debugFork');
 
-exports.hash = function (rounds, password, callback) {
+function hash(rounds, password, callback) {
 	forkChild({ type: 'hash', rounds: rounds, password: password }, callback);
-};
+}
+
+exports.hash = hash;
 
-exports.compare = function (password, hash, callback) {
-	if (!hash || !password) {
-		return setImmediate(callback, null, false);
+var fakeHashCache;
+function getFakeHash(callback) {
+	if (fakeHashCache) {
+		return callback(null, fakeHashCache);
 	}
-	forkChild({ type: 'compare', password: password, hash: hash }, callback);
-};
+
+	hash(12, Math.random().toString(), function (err, hash) {
+		if (err) {
+			return callback(err);
+		}
+
+		fakeHashCache = hash;
+		callback(null, fakeHashCache);
+	});
+}
+
+function compare(password, hash, callback) {
+	getFakeHash(function (err, fakeHash) {
+		if (err) {
+			return callback(err);
+		}
+
+		forkChild({ type: 'compare', password: password, hash: hash || fakeHash }, callback);
+	});
+}
+
+exports.compare = compare;
 
 function forkChild(message, callback) {
 	var child = fork(path.join(__dirname, 'bcrypt'));