From 184060fb79fb2cc77f7cd868677b7382b9663969 Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Sun, 17 Mar 2024 10:00:01 +0100
Subject: [PATCH] Modified HTTP authentication functionality

---
 svr.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/svr.js b/svr.js
index 9f23999..451912d 100644
--- a/svr.js
+++ b/svr.js
@@ -4551,8 +4551,7 @@ if (!cluster.isPrimary) {
             function checkIfPasswordMatches(list, password, callback, _i) {
               if (!_i) _i = 0;
               var cb = function (hash) {
-                var matches = (hash == list[_i].pass);
-                if (matches) {
+                if (hash == list[_i].pass) {
                   callback(true);
                 } else if (_i >= list.length - 1) {
                   callback(false);
@@ -4653,10 +4652,11 @@ if (!cluster.isPrimary) {
                   });
                 }
                 if (usernameMatch.length == 0) {
+                  // Pushing false user match to prevent time-based user enumeration
                   usernameMatch.push({
                     name: username,
-                    pass: "FAKEPASS",
-                    salt: "FAKESALT"
+                    pass: "SVRJSAWebServerRunningOnNodeJS",
+                    salt: "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0"
                   }); // Fake credentials
                 }
                 checkIfPasswordMatches(usernameMatch, password, function (authorized) {