User Enumeration

If it takes longer to check a correct username and an incorrect password, a clever attacker will be able to spot the difference.

Code vulnerable to a timing attack
app.post('/login', (request, response) => {
  const user = getUser(request.params.username);

  // The function returns early if the username is incorrect.
  if (!user) {
    response.status(401);
    return;
  }

  // This code path will only get executed if the username is
  // correct, allowing an attacker to infer the existence of a
  // username by timing how long the HTTP response takes.
  bcrypt.compare(request.params.password, user.hashedPassword, (error, matched) => {
    if (matched) {
      request.session.username = request.params.username;
      self.redirect('/');
    } else {
      response.status(401);
    }
  });
});