fix(token): utilize a more accurate comparison method (#5594)

1 year ago · 32be170562
parent 132a52c5d9
commit 32be170562
1 changed files with 2 additions and 1 deletions
--- a/internal/authtoken/repository.go
+++ b/internal/authtoken/repository.go
@ -5,6 +5,7 @@ package authtoken

 import (
 	"context"
+	"crypto/subtle"
 	"database/sql"
 	"fmt"
 	"time"
@ -240,7 +241,7 @@ func (r *Repository) ValidateToken(ctx context.Context, id, token string, opt ..
 		return nil, nil
 	}

-	if retAT.GetToken() != token {
+	if subtle.ConstantTimeCompare([]byte(retAT.GetToken()), []byte(token)) == 0 {
 		return nil, nil
 	}
 	// retAT.Token set to empty string so the value is not returned as described in the methods' doc.