[auth] use of constant time compare for registration token

capcom6 · capcom6 · commit 34fbb47a4cda · 2024-11-27T06:03:13.000+07:00
diff --git a/internal/sms-gateway/modules/auth/service.go b/internal/sms-gateway/modules/auth/service.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/hex"
 	"fmt"
 	"time"
@@ -99,7 +100,7 @@ func (s *Service) AuthorizeRegistration(token string) error {
 		return nil
 	}
 
-	if token == s.config.PrivateToken {
+	if subtle.ConstantTimeCompare([]byte(token), []byte(s.config.PrivateToken)) == 1 {
 		return nil
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ package auth`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"crypto/sha256"`
	`5`	`+ "crypto/subtle"`
`5`	`6`	`"encoding/hex"`
`6`	`7`	`"fmt"`
`7`	`8`	`"time"`
`@@ -99,7 +100,7 @@ func (s *Service) AuthorizeRegistration(token string) error {`
`99`	`100`	`return nil`
`100`	`101`	`}`
`101`	`102`
`102`		`- if token == s.config.PrivateToken {`
	`103`	`+ if subtle.ConstantTimeCompare([]byte(token), []byte(s.config.PrivateToken)) == 1 {`
`103`	`104`	`return nil`
`104`	`105`	`}`
`105`	`106`