feat: Add timing attack protection and failed auth tracking

[gtema]

Prevent username enumeration via timing attacks by generating a dummy
password hash when a user is not found, ensuring the response time is
comparable to the "user exists, wrong password" path.

• password_hashing: add generate_dummy_hash() matching configured
  algorithm
• authenticate_by_password: verify against dummy hash when user not
  found
• log_failed_auth: accept DateTime parameter instead of generating
  it
• reset_last_active: accept DateTime parameter for single timestamp
• refactor: rename local_user -> local_user_entry for clarity
• tests: add unit tests for log_failed_auth, reset_failed_auth, timing
  consistency

[github-actions]

🦢 Load Test Results

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	26-06-05 13:13:43	26-06-05 13:13:45	00:00:02	0 → 4
Maintaining	26-06-05 13:13:45	26-06-05 13:14:15	00:00:30	4
Decreasing	26-06-05 13:14:15	26-06-05 13:14:15	00:00:00	0 ← 4

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET		6320	0	18.50	11	38	210.67	0.00
	Aggregated	6320	0	18.50	11	38	210.67	0.00

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET		16	20	22	23	25	25	28	38
	Aggregated	16	20	22	23	25	25	28	38

Status Code Metrics

Method	Name	Status Codes
GET		6,320 [200]
	Aggregated	6,320 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
ListUsers
0.0	0	0	0.00	0	0	0.00	0.00
0.1	3822	0	15.24	11	27	127.40	0.00
ValidateToken
1.0	0	0	0.00	0	0	0.00	0.00
1.1	2498	0	23.58	19	38	83.27	0.00
Aggregated	6320	0	18.50	11	38	210.67	0.00

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
ListUsers	2	3820	15.25	11	27	127.33	1910.00
ValidateToken	2	2496	23.59	19	38	83.20	1248.00
Aggregated	4	6316	18.54	11	38	210.53	3158.00

View full report

[github-actions]

Bencher Report

Branch	security
Testbed	ubuntu-latest

🚨 1 Alert

Benchmark	Measure Units	View	Benchmark Result (Result Δ%)	Upper Boundary (Limit %)
Raft_1Node_Latency/prefix/1node	Latency milliseconds (ms)	📈 plot 🚷 threshold 🚨 alert (🔔)	8.87 ms (+142.11%) Baseline: 3.66 ms	6.64 ms (133.52%)

Click to view all benchmark results

Benchmark	Latency	Benchmark Result nanoseconds (ns) (Result Δ%)	Upper Boundary nanoseconds (ns) (Limit %)
Command_Serde/apply/remove	📈 view plot 🚷 view threshold	83,678.00 ns (-43.82%) Baseline: 148,945.84 ns	540,662.26 ns (15.48%)
Command_Serde/apply/set	📈 view plot 🚷 view threshold	82,092.00 ns (-38.44%) Baseline: 133,362.46 ns	317,572.27 ns (25.85%)
Command_Serde/pack/delete	📈 view plot 🚷 view threshold	122.15 ns (-0.34%) Baseline: 122.56 ns	142.05 ns (85.99%)
Command_Serde/pack/delete_index	📈 view plot 🚷 view threshold	115.90 ns (+1.30%) Baseline: 114.42 ns	131.98 ns (87.82%)
Command_Serde/pack/set	📈 view plot 🚷 view threshold	190.36 ns (-4.00%) Baseline: 198.29 ns	234.29 ns (81.25%)
Command_Serde/pack/set_index	📈 view plot 🚷 view threshold	115.67 ns (+0.92%) Baseline: 114.61 ns	131.92 ns (87.68%)
Command_Serde/unpack/delete	📈 view plot 🚷 view threshold	203.17 ns (+7.50%) Baseline: 189.00 ns	227.72 ns (89.22%)
Command_Serde/unpack/delete_index	📈 view plot 🚷 view threshold	183.81 ns (+10.69%) Baseline: 166.06 ns	200.71 ns (91.58%)
Command_Serde/unpack/set	📈 view plot 🚷 view threshold	253.23 ns (+2.62%) Baseline: 246.77 ns	286.57 ns (88.37%)
Command_Serde/unpack/set_index	📈 view plot 🚷 view threshold	183.57 ns (+11.46%) Baseline: 164.70 ns	200.54 ns (91.54%)
Payload_encryption/pack/inner	📈 view plot 🚷 view threshold	66.27 ns (+1.43%) Baseline: 65.34 ns	76.16 ns (87.01%)
Payload_encryption/pack/remove_cmd	📈 view plot 🚷 view threshold	121.44 ns (-0.64%) Baseline: 122.22 ns	143.60 ns (84.57%)
Payload_encryption/pack/set_cmd	📈 view plot 🚷 view threshold	218.83 ns (-5.77%) Baseline: 232.23 ns	289.50 ns (75.59%)
Payload_encryption/unpack/inner	📈 view plot 🚷 view threshold	163.02 ns (-0.44%) Baseline: 163.75 ns	190.74 ns (85.47%)
Payload_encryption/unpack/remove_cmd	📈 view plot 🚷 view threshold	207.51 ns (+4.56%) Baseline: 198.46 ns	240.02 ns (86.46%)
Payload_encryption/unpack/set_cmd	📈 view plot 🚷 view threshold	269.74 ns (+4.09%) Baseline: 259.14 ns	309.42 ns (87.17%)
Raft_1Node_Latency/prefix/1node	📈 view plot 🚷 view threshold 🚨 view alert (🔔)	8,872,000.00 ns (+142.11%) Baseline: 3,664,482.05 ns	6,644,797.74 ns (133.52%)
Raft_1Node_Latency/read/1node	📈 view plot 🚷 view threshold	589.31 ns (+4.96%) Baseline: 561.44 ns	742.79 ns (79.34%)
Raft_1Node_Latency/remove/1node	📈 view plot 🚷 view threshold	243,300.00 ns (-37.31%) Baseline: 388,123.85 ns	1,094,166.47 ns (22.24%)
Raft_1Node_Latency/write/1node	📈 view plot 🚷 view threshold	256,440.00 ns (-32.03%) Baseline: 377,281.28 ns	873,777.80 ns (29.35%)
build_snapshot/default	📈 view plot 🚷 view threshold	96,835.00 ns (+4.58%) Baseline: 92,592.84 ns	148,843.71 ns (65.06%)
fernet token/project	📈 view plot 🚷 view threshold	1,452.00 ns (-0.88%) Baseline: 1,464.93 ns	1,634.69 ns (88.82%)
get_data_keyspace	📈 view plot 🚷 view threshold	0.35 ns (+9.15%) Baseline: 0.32 ns	0.38 ns (92.62%)
get_db	📈 view plot 🚷 view threshold	0.35 ns (+9.89%) Baseline: 0.32 ns	0.38 ns (93.03%)
get_fernet_token_timestamp/project	📈 view plot 🚷 view threshold	144.21 ns (-2.50%) Baseline: 147.91 ns	171.54 ns (84.07%)
get_keyspace	📈 view plot 🚷 view threshold	4.81 ns (+3.91%) Baseline: 4.63 ns	7.84 ns (61.32%)

🐰 View full continuous benchmarking report in Bencher