From f9383c66d140cbfc91a4201c69fb272fc22d67e5 Mon Sep 17 00:00:00 2001
From: Damian Debkowski <Damian.Debkowski@hashicorp.com>
Date: Thu, 13 Mar 2025 15:08:09 -0700
Subject: [PATCH] fix(token): utilize a more accurate comparison method (#5594)

---
 internal/authtoken/repository.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/authtoken/repository.go b/internal/authtoken/repository.go
index e16519fb7d..236835742d 100644
--- a/internal/authtoken/repository.go
+++ b/internal/authtoken/repository.go
@@ -5,6 +5,7 @@ package authtoken
 
 import (
 	"context"
+	"crypto/subtle"
 	"database/sql"
 	"fmt"
 	"time"
@@ -239,7 +240,7 @@ func (r *Repository) ValidateToken(ctx context.Context, id, token string, opt ..
 		return nil, nil
 	}
 
-	if retAT.GetToken() != token {
+	if subtle.ConstantTimeCompare([]byte(retAT.GetToken()), []byte(token)) == 0 {
 		return nil, nil
 	}
 	// retAT.Token set to empty string so the value is not returned as described in the methods' doc.