authorizerdev · lakhansamani · Apr 4, 2026 · Apr 4, 2026
diff --git a/internal/graphql/reset_password.go b/internal/graphql/reset_password.go
@@ -2,6 +2,7 @@ package graphql
 
 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"strings"
 	"time"
@@ -110,7 +111,7 @@ func (g *graphqlProvider) ResetPassword(ctx context.Context, params *model.Reset
 			log.Debug().Err(err).Msg("Failed to get otp request by phone number")
 			return nil, fmt.Errorf(`invalid otp`)
 		}
-		if otpRequest.Otp != otp {
+		if subtle.ConstantTimeCompare([]byte(otpRequest.Otp), []byte(otp)) != 1 {
 			log.Debug().Msg("Failed to verify otp request: Incorrect value")
 			return nil, fmt.Errorf(`invalid otp`)
 		}

diff --git a/internal/graphql/verify_otp.go b/internal/graphql/verify_otp.go
@@ -2,6 +2,7 @@ package graphql
 
 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"strings"
 	"time"
@@ -105,7 +106,7 @@ func (g *graphqlProvider) VerifyOTP(ctx context.Context, params *model.VerifyOTP
 			log.Debug().Msg("OTP not found")
 			return nil, fmt.Errorf(`OTP not found`)
 		}
-		if params.Otp != otp.Otp {
+		if subtle.ConstantTimeCompare([]byte(params.Otp), []byte(otp.Otp)) != 1 {
 			log.Debug().Msg("Failed to verify otp request: OTP mismatch")
 			return nil, fmt.Errorf(`invalid otp`)
 		}

diff --git a/internal/http_handlers/token.go b/internal/http_handlers/token.go
@@ -2,6 +2,7 @@ package http_handlers
 
 import (
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base64"
 	"net/http"
 	"strings"
@@ -158,7 +159,7 @@ func (h *httpProvider) TokenHandler() gin.HandlerFunc {
 				}
 
 			} else {
-				if clientSecret != h.Config.ClientSecret {
+				if subtle.ConstantTimeCompare([]byte(clientSecret), []byte(h.Config.ClientSecret)) != 1 {
 					log.Debug().Msg("Client secret is invalid")
 					gc.JSON(http.StatusUnauthorized, gin.H{
 						"error":             "invalid_client",