From f958aa6930ab70c4c667097d88511931a8f00c24 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 6 Nov 2021 14:50:35 +0100
Subject: [PATCH] stages/identification: use random sleep

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/stages/identification/stage.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/authentik/stages/identification/stage.py b/authentik/stages/identification/stage.py
index bbc6de2f4..64a24a0a6 100644
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@@ -1,5 +1,6 @@
 """Identification stage logic"""
 from dataclasses import asdict
+from random import SystemRandom
 from time import sleep
 from typing import Any, Optional
 
@@ -78,7 +79,8 @@ class IdentificationChallengeResponse(ChallengeResponse):
 
         pre_user = self.stage.get_user(uid_field)
         if not pre_user:
-            sleep(0.150)
+            # Sleep a random time (between 90 and 210ms) to "prevent" user enumeration attacks
+            sleep(0.30 * SystemRandom().randint(3, 7))
             LOGGER.debug("invalid_login", identifier=uid_field)
             identification_failed.send(sender=self, request=self.stage.request, uid_field=uid_field)
             # We set the pending_user even on failure so it's part of the context, even