Use ConstantTimeCompare to make the login more secure and not leak information about the used password (#205)

2022-07-14 08:35:58 +02:00
parent f43c59c043
commit 97652be545
1 changed files with 5 additions and 2 deletions
--- a/handler/routes.go
+++ b/handler/routes.go
@@ -1,6 +1,7 @@
 package handler

 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -49,7 +50,9 @@ func Login(db store.IStore) echo.HandlerFunc {
 			return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
 		}

-		if user.Username == dbuser.Username && user.Password == dbuser.Password {
+		userCorrect := subtle.ConstantTimeCompare([]byte(user.Username), []byte(dbuser.Username)) == 1
+		passwordCorrect := subtle.ConstantTimeCompare([]byte(user.Password), []byte(dbuser.Password)) == 1
+		if userCorrect && passwordCorrect {
 			// TODO: refresh the token
 			sess, _ := session.Get("session", c)
 			sess.Options = &sessions.Options{