diff options
| author | Peter Stone <thepeterstone@gmail.com> | 2026-01-26 07:03:53 -1000 |
|---|---|---|
| committer | Peter Stone <thepeterstone@gmail.com> | 2026-01-26 07:03:53 -1000 |
| commit | 8c2b8c352f8c980c79bb4bb4772e8cbc02d14164 (patch) | |
| tree | 6913a38cf462df397b24ba0c6c4c18f128562429 /internal/auth | |
| parent | ff7339acfdf533110f3ab1f902e153df739eed1b (diff) | |
Phase 3: Error handling and security hardening
- Handle JSON marshal errors in sqlite.go (log + fallback to empty array)
- Add 30s timeout to Google Calendar client initialization
- Fix CSRF timing attack by using subtle.ConstantTimeCompare
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Diffstat (limited to 'internal/auth')
| -rw-r--r-- | internal/auth/middleware.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go index b440032..ecdde82 100644 --- a/internal/auth/middleware.go +++ b/internal/auth/middleware.go @@ -3,6 +3,7 @@ package auth import ( "context" "crypto/rand" + "crypto/subtle" "encoding/base64" "net/http" @@ -82,7 +83,8 @@ func (m *Middleware) CSRFProtect(next http.Handler) http.Handler { requestToken = r.FormValue("csrf_token") } - if requestToken == "" || requestToken != token { + // Use constant-time comparison to prevent timing attacks + if requestToken == "" || subtle.ConstantTimeCompare([]byte(requestToken), []byte(token)) != 1 { http.Error(w, "Forbidden - CSRF Token Mismatch", http.StatusForbidden) return } |