Fixed #36901 -- Centralized auth timing attack mitigations.

Thank you Mar Bartolome and Tim Schilling for reviews.
author: afenoum <anja1catus@gmail.com> 2026-04-20 12:44:42 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2026-04-27 16:22:04 +0200
commit: c63591d4da533944af31ccb46a77eb221dbdba0a (patch)
tree: ab4d05769d45452c21670062bfe410d1e7823538 /django/contrib/auth/__init__.py
parent: 017d7f6f12e597e6179de7ffdf330a52c2b22053 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py
index 21e6dc43d6..aa56df9a3a 100644
--- a/django/contrib/auth/__init__.py
+++ b/django/contrib/auth/__init__.py
@@ -391,3 +391,22 @@ async def aupdate_session_auth_hash(request, user):
     await request.session.acycle_key()
     if hasattr(user, "get_session_auth_hash") and await request.auser() == user:
         await request.session.aset(HASH_SESSION_KEY, user.get_session_auth_hash())
+
+
+def check_password_with_timing_attack_mitigation(user, password):
+    """
+    Checks password against the user's hash if there is a user, otherwise runs
+    the default password hasher to prevent user enumeration attacks (#20760).
+    """
+    if user is None:
+        get_user_model()().set_password(password)
+    else:
+        return user.check_password(password)
+
+
+async def acheck_password_with_timing_attack_mitigation(user, password):
+    """See check_user_with_timing_attack_mitigation."""
+    if user is None:
+        get_user_model()().set_password(password)
+    else:
+        return await user.acheck_password(password)
author	afenoum <anja1catus@gmail.com>	2026-04-20 12:44:42 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2026-04-27 16:22:04 +0200
commit	c63591d4da533944af31ccb46a77eb221dbdba0a (patch)
tree	ab4d05769d45452c21670062bfe410d1e7823538 /django/contrib/auth/__init__.py
parent	017d7f6f12e597e6179de7ffdf330a52c2b22053 (diff)