When authenticating a user, we skip any calls to BCrypt if we weren't able to find a user with the provided email address. This results in a faster response time to the client and less work on the server... but it also means one could possibly monitor the response times from the app to see if the provided user has an account.

When we detect that a user does not exist with the provided email, we should go ahead and perform a bcrypt check anyway, and always return false from that check. This will keep timings consistent with the response one gets when they use an email that exists but get the password wrong.

I took a quick look at how this could be done. I feel like the best way would be a new "dummy_authenticate" method on the password strategy that is called for this explict purpose. That's a breaking change to the contract of the password strategy though.

Another alternative would be to handle this in the user mixin itself. We'd want to make sure we produce similar timings in any event.