fix(account): use constant time comparison for password check

pull/48/head
Elouan Martinet 4 months ago
parent 9b771cbac6
commit 41293d4fc5

@ -18,8 +18,8 @@
package account package account
import ( import (
"bytes"
"crypto/rand" "crypto/rand"
"crypto/subtle"
"database/sql" "database/sql"
"encoding/base64" "encoding/base64"
"errors" "errors"
@ -51,7 +51,7 @@ func Login(username, password string) (LoginResponse, error) {
return response, err return response, err
} }
if !bytes.Equal(key, deriveArgon2IDKey([]byte(password), salt)) { if subtle.ConstantTimeCompare(key, deriveArgon2IDKey([]byte(password), salt)) == 0 {
return response, fmt.Errorf("password doesn't match") return response, fmt.Errorf("password doesn't match")
} }

Loading…
Cancel
Save