Skip to content

Commit e00b111

Browse files
committed
web/builds: use constant_time_eq
1 parent 60ec5fe commit e00b111

File tree

2 files changed

+4
-2
lines changed

2 files changed

+4
-2
lines changed

src/config.rs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,8 @@ pub struct Config {
4141
// Gitlab authentication
4242
pub(crate) gitlab_accesstoken: Option<String>,
4343

44-
// Access token for APIs for crates.io
44+
// Access token for APIs for crates.io (careful: use
45+
// constant_time_eq for comparisons!)
4546
pub(crate) cratesio_token: Option<String>,
4647

4748
// amount of retries for external API calls, mostly crates.io

src/web/builds.rs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ use axum_extra::{
2424
TypedHeader,
2525
};
2626
use chrono::{DateTime, Utc};
27+
use constant_time_eq::constant_time_eq;
2728
use http::StatusCode;
2829
use semver::Version;
2930
use serde::Serialize;
@@ -191,7 +192,7 @@ pub(crate) async fn build_trigger_rebuild_handler(
191192
let TypedHeader(auth_header) = opt_auth_header.ok_or(JsonAxumNope(AxumNope::Unauthorized(
192193
"Missing authentication token",
193194
)))?;
194-
if auth_header.token() != expected_token {
195+
if !constant_time_eq(auth_header.token().as_bytes(), expected_token.as_bytes()) {
195196
return Err(JsonAxumNope(AxumNope::Unauthorized(
196197
"The token used for authentication is not valid",
197198
)));

0 commit comments

Comments
 (0)