10.2.5 unknown username won't be returned #253
Description
Since we use a default PHC string to make the verifying time-constant, the actual Unknown Username case will be early returned as Invalid password.
spawn_blocking_with_tracing(move || {
verify_password_hash(expected_password_hash, credentials.password)
})
.await
// early return
.context("Failed to spawn blocking task.")??;
user_id
// dead code
.ok_or_else(|| anyhow::anyhow!("Unknown username."))
.map_err(AuthError::InvalidCredentials)