Address 2FA PR feedback

DJAndries · DJAndries · commit b0c675e32034 · 2025-06-04T19:38:31.000-07:00
diff --git a/datastore/password_states.go b/datastore/password_states.go
@@ -13,9 +13,6 @@ import (
 const (
 	NormalStateExpiration = 30 * time.Second
 	TwoFAStateExpiration  = 5 * time.Minute
-
-	// "Compile-time assertion" to ensure that the 2FA expiration time is greater
-	_ = uint64(TwoFAStateExpiration - NormalStateExpiration)
 )
 
 // InterimPasswordState represents the state of an OPAQUE Authenticated Key Exchange or Registration operation
diff --git a/util/util.go b/util/util.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/rand"
+	"crypto/subtle"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -98,7 +99,7 @@ func VerifyRecoveryKeyHash(recoveryKey string, storedHash []byte) bool {
 
 	computedHash := generateRecoveryKeyHash(recoveryKey, salt)
 
-	return bytes.Equal(computedHash, expectedHash)
+	return subtle.ConstantTimeCompare(computedHash, expectedHash) == 1
 }
 
 func ExtractAuthToken(r *http.Request) (string, error) {

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,6 @@ import (`
`13`	`13`	`const (`
`14`	`14`	`NormalStateExpiration = 30 * time.Second`
`15`	`15`	`TwoFAStateExpiration = 5 * time.Minute`
`16`		`-`
`17`		`- // "Compile-time assertion" to ensure that the 2FA expiration time is greater`
`18`		`- _ = uint64(TwoFAStateExpiration - NormalStateExpiration)`
`19`	`16`	`)`
`20`	`17`
`21`	`18`	`// InterimPasswordState represents the state of an OPAQUE Authenticated Key Exchange or Registration operation`