p5.js version

latest

What is your operating system?

None

Web browser and version

all

Actual Behavior

In server/models/user.ts at line 176, the findMatchingKey method uses bcrypt.compareSync() (synchronous) with await inside an async function:

userSchema.methods.findMatchingKey = async function findMatchingKey(
  candidateKey: string
): Promise<{ isMatch: boolean; keyDocument: ApiKeyDocument | null }> {
  for (const k of this.apiKeys) {
    try {
      const foundOne = await bcrypt.compareSync(candidateKey, k.hashedKey);
      // ❌ compareSync is synchronous — await does nothing

Two problems:

1. bcrypt.compareSync() blocks the Node.js event loop while computing the hash comparison. For each API key checked, the entire server is unresponsive during that time.
2. await on a non-Promise (boolean) return value has no effect — it resolves immediately but gives a false impression that the operation is asynchronous.

Expected Behavior

Use the asynchronous bcrypt.compare() which returns a Promise and does not block the event loop:

const foundOne = await bcrypt.compare(candidateKey, k.hashedKey);
// ✅ async version — does not block the event loop

Steps to reproduce

1. Open server/models/user.ts
2. Go to line 176 inside the findMatchingKey method
3. Observe bcrypt.compareSync() is used with await
4. Under concurrent load with multiple API key authentication requests, the synchronous hash comparison blocks the event loop, degrading server responsiveness for all users