Constant time equal for auth

xarantolus · Dec 31, 2023 · e284680 · e284680
1 parent effbd3c
commit e284680
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/server/Cargo.toml b/server/Cargo.toml
@@ -14,6 +14,7 @@ futures-util = "0.3.29"
 log = "0.4.20"
 macaddr = { version = "1.0.1", features = ["serde"] }
 serde = { version = "1.0.193", features = ["derive"] }
+subtle = "2.5.0"
 tokio = { version = "1.34.0", features = ["full"] }
 tokio-tungstenite = "0.21.0"
 toml = "0.8.8"

diff --git a/server/src/web_server.rs b/server/src/web_server.rs
@@ -7,6 +7,7 @@ use log::info;
 use std::net::SocketAddr;
 use warp::reject::Rejection;
 use warp::reply::Reply;
+use subtle::ConstantTimeEq;
 
 use std::{convert::Infallible, sync::Arc};
 
@@ -109,7 +110,7 @@ struct AuthQuery {
 fn with_auth(token: String) -> impl Filter<Extract = (bool,), Error = Rejection> + Clone {
     warp::any()
         .and(warp::filters::query::query::<AuthQuery>())
-        .map(move |query: AuthQuery| query.token == token)
+        .map(move |query: AuthQuery| query.token.as_bytes().ct_eq(token.as_bytes()).into())
 }
 
 pub async fn start_web_server(config: &Config, connection_manager: Arc<Manager>) {