Compare codes with constant-time hash_equals, fixes #318

Signed-off-by: Christian Scheb <git@christianscheb.de>

Author: scheb

src/email/Security/TwoFactor/Provider/Email/EmailTwoFactorProvider.php

@@ -12,6 +12,7 @@
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\TwoFactorFormRendererInterface;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\TwoFactorProviderInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
+use function hash_equals;
 use function str_replace;
 
 /**
@@ -57,12 +58,17 @@ public function validateAuthenticationCode(object $user, string $authenticationC
             return false;
         }
 
+        $currentAuthCode = $user->getEmailAuthCode();
+        if (null === $currentAuthCode) {
+            return false;
+        }
+
         $event = new TwoFactorCodeEvent($user, $authenticationCode);
         $this->eventDispatcher->dispatch($event, EmailCodeEvents::CHECK);
 
         // Strip any user added spaces
         $authenticationCode = str_replace(' ', '', $authenticationCode);
-        $isValid = $user->getEmailAuthCode() === $authenticationCode;
+        $isValid = hash_equals($currentAuthCode, $authenticationCode);
         $this->eventDispatcher->dispatch($event, $isValid ? EmailCodeEvents::VALID : EmailCodeEvents::INVALID);
 
         return $isValid;