feat: use ct_eq for checking bearer token (#5501)

This commit is contained in:
Jędrzej Stuczyński
2025-02-24 09:04:34 +00:00
committed by GitHub
parent dd3dcfa7fe
commit 17d3ff2d77
3 changed files with 4 additions and 1 deletions
Generated
+1
View File
@@ -5940,6 +5940,7 @@ dependencies = [
"serde",
"serde_json",
"serde_yaml",
"subtle 2.6.1",
"tower 0.5.2",
"tracing",
"utoipa",
+1
View File
@@ -20,6 +20,7 @@ mime = { workspace = true }
serde = { workspace = true, features = ["derive"] }
serde_json.workspace = true
serde_yaml = { workspace = true }
subtle.workspace = true
tower = { workspace = true }
tracing.workspace = true
utoipa = { workspace = true, optional = true }
@@ -7,6 +7,7 @@ use axum::{extract::Request, response::Response};
use futures::future::BoxFuture;
use std::sync::Arc;
use std::task::{Context, Poll};
use subtle::ConstantTimeEq;
use tower::{Layer, Service};
use tracing::{debug, instrument, trace};
use zeroize::Zeroizing;
@@ -76,7 +77,7 @@ impl<S> RequireAuth<S> {
return Err("`Authorization` header must contain non-empty `Bearer` token");
}
if self.bearer_token.as_str() != bearer_token {
if bool::from(self.bearer_token.as_bytes().ct_ne(bearer_token.as_bytes())) {
return Err("`Authorization` header does not contain the correct `Bearer` token");
}