use constant-time comparison for auth token validation (#7730)

Signed-off-by: Extra Small <littleshuai.bot@gmail.com>
Co-authored-by: extrasmall0 <extrasmall0@users.noreply.github.com>
This commit is contained in:
Extra Small
2026-03-11 04:31:43 -07:00
committed by GitHub
parent 58f3cc9e30
commit a28c306b23
2 changed files with 5 additions and 1 deletions
+1
View File
@@ -46,6 +46,7 @@ tokio-tungstenite = { version = "0.28.0", features = ["rustls-tls-native-roots"]
url = { workspace = true }
rand = "0.9.2"
hex = "0.4.3"
subtle = "2.6"
socket2 = "0.6.1"
fs2 = { workspace = true }
rustls = { version = "0.23", features = ["aws_lc_rs"] }
+4 -1
View File
@@ -4,6 +4,7 @@ use axum::{
middleware::Next,
response::Response,
};
use subtle::ConstantTimeEq;
pub async fn check_token(
State(state): State<String>,
@@ -23,7 +24,9 @@ pub async fn check_token(
.and_then(|value| value.to_str().ok());
match secret_key {
Some(key) if key == state => Ok(next.run(request).await),
Some(key) if bool::from(key.as_bytes().ct_eq(state.as_bytes())) => {
Ok(next.run(request).await)
}
_ => Err(StatusCode::UNAUTHORIZED),
}
}