feat: use ct_eq for checking bearer token (#5501) (#5519)

This commit is contained in:
Jędrzej Stuczyński
2025-02-26 09:48:05 +00:00
committed by GitHub
parent 8f5457e698
commit 80b395cd8e
3 changed files with 4 additions and 1 deletions
Generated
+1
View File
@@ -5888,6 +5888,7 @@ dependencies = [
"serde",
"serde_json",
"serde_yaml",
"subtle 2.6.1",
"tower 0.5.2",
"tracing",
"utoipa",
+1
View File
@@ -20,6 +20,7 @@ mime = { workspace = true }
serde = { workspace = true, features = ["derive"] }
serde_json.workspace = true
serde_yaml = { workspace = true }
subtle.workspace = true
tower = { workspace = true }
tracing.workspace = true
utoipa = { workspace = true, optional = true }
@@ -7,6 +7,7 @@ use axum::{extract::Request, response::Response};
use futures::future::BoxFuture;
use std::sync::Arc;
use std::task::{Context, Poll};
use subtle::ConstantTimeEq;
use tower::{Layer, Service};
use tracing::{debug, instrument, trace};
use zeroize::Zeroizing;
@@ -76,7 +77,7 @@ impl<S> RequireAuth<S> {
return Err("`Authorization` header must contain non-empty `Bearer` token");
}
if self.bearer_token.as_str() != bearer_token {
if bool::from(self.bearer_token.as_bytes().ct_ne(bearer_token.as_bytes())) {
return Err("`Authorization` header does not contain the correct `Bearer` token");
}