File tree Expand file tree Collapse file tree 2 files changed +4
-2
lines changed Expand file tree Collapse file tree 2 files changed +4
-2
lines changed Original file line number Diff line number Diff line change @@ -41,7 +41,8 @@ pub struct Config {
41
41
// Gitlab authentication
42
42
pub ( crate ) gitlab_accesstoken : Option < String > ,
43
43
44
- // Access token for APIs for crates.io
44
+ // Access token for APIs for crates.io (careful: use
45
+ // constant_time_eq for comparisons!)
45
46
pub ( crate ) cratesio_token : Option < String > ,
46
47
47
48
// amount of retries for external API calls, mostly crates.io
Original file line number Diff line number Diff line change @@ -24,6 +24,7 @@ use axum_extra::{
24
24
TypedHeader ,
25
25
} ;
26
26
use chrono:: { DateTime , Utc } ;
27
+ use constant_time_eq:: constant_time_eq;
27
28
use http:: StatusCode ;
28
29
use semver:: Version ;
29
30
use serde:: Serialize ;
@@ -191,7 +192,7 @@ pub(crate) async fn build_trigger_rebuild_handler(
191
192
let TypedHeader ( auth_header) = opt_auth_header. ok_or ( JsonAxumNope ( AxumNope :: Unauthorized (
192
193
"Missing authentication token" ,
193
194
) ) ) ?;
194
- if auth_header. token ( ) != expected_token {
195
+ if ! constant_time_eq ( auth_header. token ( ) . as_bytes ( ) , expected_token. as_bytes ( ) ) {
195
196
return Err ( JsonAxumNope ( AxumNope :: Unauthorized (
196
197
"The token used for authentication is not valid" ,
197
198
) ) ) ;
You can’t perform that action at this time.
0 commit comments