func (s *Server) loginPost(w http.ResponseWriter, r *http.Request) (c.Node, error) {
  [...]
  
  clientUser, err := s.queries.GetUserByUserAndClientID(r.Context(), model.GetUserByUserAndClientIDParams{
    UserID:   userid,
    ClientID: client.ID,
  })
  if err != nil {
    switch {
      case errors.Is(err, pgx.ErrNoRows):
         s.log.Error("clientUser not found in database, checking password anyways to avoid timing attacks")
         clientUser.User.PasswordHash.Validate("")
         return s.httpErrorPage(w, r, ErrInvalidUserOrPassword, http.StatusUnauthorized)
      default:
         s.log.Error("error getting user from database", "error", err)
         return s.httpErrorPage(w, r, ErrUnexpected, http.StatusInternalServerError)
    }

    [...]
  }