BED-5264: Defend against time-based enumeration (#1167)

* BED-5264: Add arbitrary hash checking to defend against timebased enumeration

* BED-5264: Add arbitrary minimum response time with jitter to Login requests

* BED-5264: Add comment
Remove unnecessary route functionality

cmd/api/src/api/middleware/auth.go

@@ -18,6 +18,7 @@ package middleware
 
 import (
 	"fmt"
+	"math/rand/v2"
 	"net/http"
 	"strings"
 	"time"
@@ -198,3 +199,24 @@ func AuthorizeAuthManagementAccess(permissions auth.PermissionSet, authorizer au
 		})
 	}
 }
+
+const loginMinimum = time.Second + 500*time.Millisecond
+const loginVariation = 500 * time.Millisecond
+
+// LoginTimer is a middleware to protect against time-based user enumeration on the Login route. It does this by
+// starting a timer before the actual login procedure to normalize the duration of this procedure to be within 1.5s and
+// 2s.
+func LoginTimer() mux.MiddlewareFunc {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
+			timer := time.NewTimer(loginMinimum + time.Duration(rand.Int64N(loginVariation.Nanoseconds())))
+
+			next.ServeHTTP(response, request)
+
+			select {
+			case <-timer.C:
+			case <-request.Context().Done():
+			}
+		})
+	}
+}

cmd/api/src/api/registration/v2.go

@@ -37,9 +37,10 @@ func registerV2Auth(resources v2.Resources, routerInst *router.Router, permissio
 		managementResource = authapi.NewManagementResource(resources.Config, resources.DB, resources.Authorizer, resources.Authenticator)
 	)
 
+	routerInst.POST("/api/v2/login", loginResource.Login).Use(middleware.DefaultRateLimitMiddleware(), middleware.LoginTimer())
+
 	router.With(middleware.DefaultRateLimitMiddleware,
 		// Login resources
-		routerInst.POST("/api/v2/login", loginResource.Login),
 		routerInst.GET("/api/v2/self", managementResource.GetSelf),
 		routerInst.POST("/api/v2/logout", loginResource.Logout),