diff options
Diffstat (limited to 'internal/auth')
| -rw-r--r-- | internal/auth/middleware.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go index b440032..ecdde82 100644 --- a/internal/auth/middleware.go +++ b/internal/auth/middleware.go @@ -3,6 +3,7 @@ package auth import ( "context" "crypto/rand" + "crypto/subtle" "encoding/base64" "net/http" @@ -82,7 +83,8 @@ func (m *Middleware) CSRFProtect(next http.Handler) http.Handler { requestToken = r.FormValue("csrf_token") } - if requestToken == "" || requestToken != token { + // Use constant-time comparison to prevent timing attacks + if requestToken == "" || subtle.ConstantTimeCompare([]byte(requestToken), []byte(token)) != 1 { http.Error(w, "Forbidden - CSRF Token Mismatch", http.StatusForbidden) return } |