diff --git a/Cargo.lock b/Cargo.lock index 4178cfb4de..582804e39d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5940,6 +5940,7 @@ dependencies = [ "serde", "serde_json", "serde_yaml", + "subtle 2.6.1", "tower 0.5.2", "tracing", "utoipa", diff --git a/common/http-api-common/Cargo.toml b/common/http-api-common/Cargo.toml index e00af2e4ef..e8cf08b103 100644 --- a/common/http-api-common/Cargo.toml +++ b/common/http-api-common/Cargo.toml @@ -20,6 +20,7 @@ mime = { workspace = true } serde = { workspace = true, features = ["derive"] } serde_json.workspace = true serde_yaml = { workspace = true } +subtle.workspace = true tower = { workspace = true } tracing.workspace = true utoipa = { workspace = true, optional = true } diff --git a/common/http-api-common/src/middleware/bearer_auth.rs b/common/http-api-common/src/middleware/bearer_auth.rs index 68867f32a3..bb334ab944 100644 --- a/common/http-api-common/src/middleware/bearer_auth.rs +++ b/common/http-api-common/src/middleware/bearer_auth.rs @@ -7,6 +7,7 @@ use axum::{extract::Request, response::Response}; use futures::future::BoxFuture; use std::sync::Arc; use std::task::{Context, Poll}; +use subtle::ConstantTimeEq; use tower::{Layer, Service}; use tracing::{debug, instrument, trace}; use zeroize::Zeroizing; @@ -76,7 +77,7 @@ impl RequireAuth { return Err("`Authorization` header must contain non-empty `Bearer` token"); } - if self.bearer_token.as_str() != bearer_token { + if bool::from(self.bearer_token.as_bytes().ct_ne(bearer_token.as_bytes())) { return Err("`Authorization` header does not contain the correct `Bearer` token"); }