Fix(auth): use crypto/subtle to compare strings

Related: #37
cortexproject · Apr 26, 2024 · 7a68b02 · 7a68b02
1 parent 6aa2583
commit 7a68b02
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/gateway/middleware.go b/gateway/middleware.go
@@ -1,6 +1,7 @@
 package gateway
 
 import (
+	"crypto/subtle"
 	"net/http"
 
 	"github.com/cortexproject/auth-gateway/middleware"
@@ -53,14 +54,19 @@ func (tenant *Tenant) basicAuth(w http.ResponseWriter, r *http.Request) bool {
 		return false
 	}
 
-	if tenant.Username == username {
-		if tenant.Password == password {
-			r.Header.Set("X-Scope-OrgID", tenant.ID)
-			return true
-		} else {
-			return false
-		}
+	if !tenant.saveCompare(username, password) {
+		return false
 	}
 
+	return true
+}
+
+// attempt to mitigate timing attacks
+func (tenant *Tenant) saveCompare(username, password string) bool {
+	userNameCheck := subtle.ConstantTimeCompare([]byte(tenant.Username), []byte(username))
+	passwordCheck := subtle.ConstantTimeCompare([]byte(tenant.Password), []byte(password))
+	if userNameCheck == 1 && passwordCheck == 1 {
+		return true
+	}
 	return false
 }