From 41293d4fc592ef51f7b36f41827a3ba20c905727 Mon Sep 17 00:00:00 2001
From: Elouan Martinet <exa@elou.world>
Date: Mon, 5 Aug 2024 22:19:02 +0200
Subject: [PATCH] fix(account): use constant time comparison for password check

---
 api/account/login.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/account/login.go b/api/account/login.go
index f9b6034..b153920 100644
--- a/api/account/login.go
+++ b/api/account/login.go
@@ -18,8 +18,8 @@
 package account
 
 import (
-	"bytes"
 	"crypto/rand"
+	"crypto/subtle"
 	"database/sql"
 	"encoding/base64"
 	"errors"
@@ -51,7 +51,7 @@ func Login(username, password string) (LoginResponse, error) {
 		return response, err
 	}
 
-	if !bytes.Equal(key, deriveArgon2IDKey([]byte(password), salt)) {
+	if subtle.ConstantTimeCompare(key, deriveArgon2IDKey([]byte(password), salt)) == 0 {
 		return response, fmt.Errorf("password doesn't match")
 	}