Merge branch '272-token-comparation' into 'master'

agneum · agneum · commit dd102629b72b · 2021-07-09T08:00:36.000Z
fix: use a constant time string comparison function to compare a verification token (#272)

Closes #272

See merge request postgres-ai/database-lab!307
diff --git a/pkg/srv/mw/auth.go b/pkg/srv/mw/auth.go
@@ -7,6 +7,7 @@ package mw
 
 import (
 	"context"
+	"crypto/subtle"
 	"net/http"
 
 	"gitlab.com/postgres-ai/database-lab/v2/pkg/services/platform"
@@ -45,7 +46,7 @@ func (a *Auth) isAccessAllowed(ctx context.Context, token string) bool {
 		return false
 	}
 
-	if a.verificationToken == token {
+	if subtle.ConstantTimeCompare([]byte(a.verificationToken), []byte(token)) == 1 {
 		return true
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ package mw`
`7`	`7`
`8`	`8`	`import (`
`9`	`9`	`"context"`
	`10`	`+ "crypto/subtle"`
`10`	`11`	`"net/http"`
`11`	`12`
`12`	`13`	`"gitlab.com/postgres-ai/database-lab/v2/pkg/services/platform"`
`@@ -45,7 +46,7 @@ func (a *Auth) isAccessAllowed(ctx context.Context, token string) bool {`
`45`	`46`	`return false`
`46`	`47`	`}`
`47`	`48`
`48`		`- if a.verificationToken == token {`
	`49`	`+ if subtle.ConstantTimeCompare([]byte(a.verificationToken), []byte(token)) == 1 {`
`49`	`50`	`return true`
`50`	`51`	`}`
`51`	`52`