Timing attack on ActivateSession #1890
Description
Securing the server version 1.1.8 with a password is susceptible to timing attacks.
I'm reporting here because I found on #902 you do not want security issues posted through any other channel.
It should be possible to delay answers to all ActivateSession requests to the same delay regardless if the session user is unknown or password is wrong. Currently the session activate_session, and hence the user manager get_user, is called synchronously and adding any significant delays in the user manager would block all the asyncio tasks.
Should the user manager get_user be changed to an async method, it should be possible to offer some backwards compatibility using inspect.isawaitable and warn on the deprecation of the sync method.
Changing the get_user to async would open also other possibilities for verifying credentials that might require some I/O.