User Enumeration

Make sure all login code-paths take about the same time on average. For instance, perform time-consuming operations like password-hashing even when you know the username is wrong.

Code not vulnerable to a timing attack
app.post('/login', (request, response) => {
  const user = getUser(request.params.username);

  // Calculate the password hash regardless of whether the username exists,
  // so the attacker cannot use timing attacks to detect which users exist
  // in the database.
  const passwordHash = user ? user.hashedPassword : '';

  bcrypt.compare(request.params.password, passwordHash, (error, matched) => {
    if (user && matched) {
      request.session.username = username;
      self.redirect('/');
    } else {
      response.status(401);
    }
  });
});