···

       
328
       
328
       
 
       


     

       
329
       
329
       
 
       
				if (!response.ok) {

     

       
330
       
330
       
 
       
					const data = await response.json();

     

       
331
       
331
       
-
       


     

       
332
       
332
       
-
       
					if (

     

       
333
       
333
       
-
       
						response.status === 401 &&

     

       
334
       
334
       
-
       
						data.error?.includes("Invalid email")

     

       
335
       
335
       
-
       
					) {

     

       
336
       
336
       
-
       
						this.needsRegistration = true;

     

       
337
       
337
       
-
       
						this.error = "";

     

       
338
       
338
       
-
       
						return;

     

       
339
       
339
       
-
       
					}

     

       
340
       
340
       
-
       


     

       
341
       
331
       
 
       
					this.error = data.error || "Login failed";

     

       
342
       
332
       
 
       
					return;

     

       
343
       
333
       
 
       
				}

     

···

       
112
       
112
       
 
       
		)

     

       
113
       
113
       
 
       
		.get(email);

     

       
114
       
114
       
 
       


     

       
115
       
115
       
-
       
	if (!result) return null;

     

       
115
       
115
       
+
       
	if (!result) {

     

       
116
       
116
       
+
       
		// Dummy comparison to prevent timing-based account enumeration

     

       
117
       
117
       
+
       
		const dummyHash = "0".repeat(64);

     

       
118
       
118
       
+
       
		password === dummyHash;

     

       
119
       
119
       
+
       
		return null;

     

       
120
       
120
       
+
       
	}

     

       
116
       
121
       
 
       


     

       
117
       
122
       
 
       
	if (password !== result.password_hash) return null;

     

       
118
       
123