From f6c14d6b624038d0250f78d6581b970d64d35e28 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 11 Jun 2021 14:47:13 -0400
Subject: [PATCH] fix: introduce artificial delay + delay fudging on invalid
 email during reset token generation

---
 src/socket.io/user.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/socket.io/user.js b/src/socket.io/user.js
index 495bbe3bfe..359058eb61 100644
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@@ -86,9 +86,10 @@ SocketUser.reset.send = async function (socket, email) {
 	try {
 		await user.reset.send(email);
 		await logEvent('[[success:success]]');
-		await sleep(2500);
+		await sleep(2500 + ((Math.random() * 500) - 250));
 	} catch (err) {
 		await logEvent(err.message);
+		await sleep(2500 + ((Math.random() * 500) - 250));
 		const internalErrors = ['[[error:invalid-email]]', '[[error:reset-rate-limited]]'];
 		if (!internalErrors.includes(err.message)) {
 			throw err;