Security: Timing Attack Risk & Missing Input Validation in Auth Handlers #2572
Description
Describe the bug
Authentication middlewares (BasicAuth, APIKeyAuth) in GoFr (go codebase) use direct string equality for credential checks, which exposes the framework and its adopters to timing attack vulnerabilities [web:52][web:51].
Handler functions (such as HelloHandler) retrieve input parameters using Param methods without automatic validation or sanitization, increasing the risk of injection and unexpected input errors.
To Reproduce
Steps to reproduce the behavior:
-
Review authentication code for credential comparison in middlewares:
if password == storedPassword { // direct comparison } -
Review HelloHandler or any typical handler for input handling:
name := c.Param("name") // only empty check, no sanitation/validation
Expected behavior
- Credentials should be checked using constant-time comparison (
crypto/subtle.ConstantTimeCompare) for passwords and API keys. - Handlers should validate and sanitize all input parameters before use, ideally with reusable middleware or helper utilities.
Screenshots
Code example using constant-time comparison for authentication fix:
Environments (please complete the following information):
- OS: Linux, macOS, Windows (tested)
- gofr version: v1.x.x (latest from gofr.dev)
- go version: 1.21+
More description
To fix:
- Switch authentication credential checks in BasicAuth and APIKey middlewares to use constant-time comparison functions (see: Go crypto/subtle documentation).
- Add or encourage centralized input validation middleware/utilities for query, path, and body params.
- Recommend use of hash-based password storage (not plaintext) for BasicAuth user config, following standard security practices [web:52][web:54].
- Strengthen and expand test cases for both authentication logic and input validation edge cases.
Links for framework and official docs: