mirror/rogueserver
1
0
Fork 0
mirror of https://github.com/pagefaultgames/rogueserver.git synced 2025-04-02 02:57:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(account): use constant time comparison for password check

Browse Source
This commit is contained in:
Elouan Martinet 2024-08-05 22:19:02 +02:00
parent 9b771cbac6
commit 41293d4fc5
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/account/login.go
View File

@ -18,8 +18,8 @@
package account
import (
"bytes"
"crypto/rand"
"crypto/subtle"
"database/sql"
"encoding/base64"
"errors"
@ -51,7 +51,7 @@ func Login(username, password string) (LoginResponse, error) {
return response, err
}
if !bytes.Equal(key, deriveArgon2IDKey([]byte(password), salt)) {
if subtle.ConstantTimeCompare(key, deriveArgon2IDKey([]byte(password), salt)) == 0 {
return response, fmt.Errorf("password doesn't match")
}