Use constant-time comparison to prevent timing attacks

nanobox-io · Jan 31, 2020 · f6d0792 · f6d0792
1 parent bde2d86
commit f6d0792
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/nanoauth.go b/nanoauth.go
@@ -5,6 +5,7 @@
 package nanoauth
 
 import (
+	"crypto/subtle"
 	"crypto/tls"
 	"errors"
 	"net"
@@ -56,7 +57,7 @@ func (self *Auth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			auth = req.FormValue(self.Header)
 		}
 
-		if auth != self.Token {
+		if subtle.ConstantTimeCompare([]byte(auth), []byte(self.Token)) == 0 {
 			rw.WriteHeader(http.StatusUnauthorized)
 			return
 		}