fix: introduce artificial delay + delay fudging on invalid email during reset token generation

4 years ago · f6c14d6b62
parent 229f96f872
commit f6c14d6b62
1 changed files with 2 additions and 1 deletions
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@ -86,9 +86,10 @@ SocketUser.reset.send = async function (socket, email) {
 	try {
 		await user.reset.send(email);
 		await logEvent('[[success:success]]');
-		await sleep(2500);
+		await sleep(2500 + ((Math.random() * 500) - 250));
 	} catch (err) {
 		await logEvent(err.message);
+		await sleep(2500 + ((Math.random() * 500) - 250));
 		const internalErrors = ['[[error:invalid-email]]', '[[error:reset-rate-limited]]'];
 		if (!internalErrors.includes(err.message)) {
 			throw err;