LOW: Login rate limiter bypassed when no users exist (first-run timing window) #83

Open
opened 2026-05-31 12:04:08 -05:00 by null · 0 comments
Owner

Bug Description

server.js:46-60 implements skipRateLimitIfNoUsers() which queries the DB on every login request when no session exists. This means:

  1. A timing side-channel reveals whether any users exist (different response times)
  2. During the window when no users exist, the login endpoint has zero rate limiting, enabling rapid brute-force attempts against the first admin account creation

Impact

Minimal in practice - the window is only during initial setup. But the timing leak could be used to fingerprint whether the app has been set up.

Consider a fixed-rate limit even for the no-users state (e.g., 20 requests/15min) that allows legitimate setup while preventing abuse.

## Bug Description server.js:46-60 implements skipRateLimitIfNoUsers() which queries the DB on every login request when no session exists. This means: 1. A timing side-channel reveals whether any users exist (different response times) 2. During the window when no users exist, the login endpoint has zero rate limiting, enabling rapid brute-force attempts against the first admin account creation ## Impact Minimal in practice - the window is only during initial setup. But the timing leak could be used to fingerprint whether the app has been set up. ## Recommended Fix Consider a fixed-rate limit even for the no-users state (e.g., 20 requests/15min) that allows legitimate setup while preventing abuse.
null added the
backend
priority:low
labels 2026-05-31 12:04:08 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#83
No description provided.