From 19936cc36593559fba657497211285f888c147bb Mon Sep 17 00:00:00 2001
From: Noah Moss <32746338+noahmoss@users.noreply.github.com>
Date: Wed, 7 Jul 2021 17:18:00 -0700
Subject: [PATCH] Hardcode fake salt and pw hash for timing attack prevention
 (#16932)

---
 src/metabase/api/session.clj | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/metabase/api/session.clj b/src/metabase/api/session.clj
index a28067dfd33..1006b2467e8 100644
--- a/src/metabase/api/session.clj
+++ b/src/metabase/api/session.clj
@@ -82,8 +82,8 @@
 (def ^:private disabled-account-snippet (deferred-tru "Your account is disabled."))
 
 ;; Fake salt & hash used to run bcrypt hash if user doesn't exist, to avoid timing attacks (Metaboat #134)
-(def ^:private fake-salt (str (UUID/randomUUID)))
-(def ^:private fake-hashed-password (creds/hash-bcrypt (str fake-salt "fake-password")))
+(def ^:private fake-salt "ee169694-5eb6-4010-a145-3557252d7807")
+(def ^:private fake-hashed-password "$2a$10$owKjTym0ZGEEZOpxM0UyjekSvt66y1VvmOJddkAaMB37e0VAIVOX2")
 
 (s/defn ^:private ldap-login :- (s/maybe {:id UUID, s/Keyword s/Any})
   "If LDAP is enabled and a matching user exists return a new Session for them, or `nil` if they couldn't be
-- 
GitLab