Commit dd10262

committed

Merge branch '272-token-comparation' into 'master'

fix: use a constant time string comparison function to compare a verification token (#272) Closes #272 See merge request postgres-ai/database-lab!307

2 parents a2a4ec8 + ddf5aff commit dd10262Copy full SHA for dd10262

File tree

-1

lines changed

-1

lines changed

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ package mw`
`7`	`7`
`8`	`8`	`import (`
`9`	`9`	`"context"`
	`10`	`+ "crypto/subtle"`
`10`	`11`	`"net/http"`
`11`	`12`
`12`	`13`	`"gitlab.com/postgres-ai/database-lab/v2/pkg/services/platform"`
`@@ -45,7 +46,7 @@ func (a *Auth) isAccessAllowed(ctx context.Context, token string) bool {`
`45`	`46`	`return false`
`46`	`47`	`}`
`47`	`48`
`48`		`- if a.verificationToken== token {`
	`49`	`+ if subtle.ConstantTimeCompare([]byte(a.verificationToken), []byte(token)) == 1 {`
`49`	`50`	`return true`
`50`	`51`	`}`
`51`	`52`

Comments

(0)