mirror of
https://github.com/aaif-goose/goose.git
synced 2026-07-03 14:10:03 +02:00
use constant-time comparison for auth token validation (#7730)
Signed-off-by: Extra Small <littleshuai.bot@gmail.com> Co-authored-by: extrasmall0 <extrasmall0@users.noreply.github.com>
This commit is contained in:
@@ -46,6 +46,7 @@ tokio-tungstenite = { version = "0.28.0", features = ["rustls-tls-native-roots"]
|
||||
url = { workspace = true }
|
||||
rand = "0.9.2"
|
||||
hex = "0.4.3"
|
||||
subtle = "2.6"
|
||||
socket2 = "0.6.1"
|
||||
fs2 = { workspace = true }
|
||||
rustls = { version = "0.23", features = ["aws_lc_rs"] }
|
||||
|
||||
@@ -4,6 +4,7 @@ use axum::{
|
||||
middleware::Next,
|
||||
response::Response,
|
||||
};
|
||||
use subtle::ConstantTimeEq;
|
||||
|
||||
pub async fn check_token(
|
||||
State(state): State<String>,
|
||||
@@ -23,7 +24,9 @@ pub async fn check_token(
|
||||
.and_then(|value| value.to_str().ok());
|
||||
|
||||
match secret_key {
|
||||
Some(key) if key == state => Ok(next.run(request).await),
|
||||
Some(key) if bool::from(key.as_bytes().ct_eq(state.as_bytes())) => {
|
||||
Ok(next.run(request).await)
|
||||
}
|
||||
_ => Err(StatusCode::UNAUTHORIZED),
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user