Skip to content

security(admin): constant-time bootstrap token compare and strength check#88

Closed
abdrassulov wants to merge 1 commit into
Grainlify:mainfrom
abdrassulov:security/bootstrap-token-hardening
Closed

security(admin): constant-time bootstrap token compare and strength check#88
abdrassulov wants to merge 1 commit into
Grainlify:mainfrom
abdrassulov:security/bootstrap-token-hardening

Conversation

@abdrassulov

@abdrassulov abdrassulov commented Jun 27, 2026

Copy link
Copy Markdown

📌 Description

This PR secures the endpoint in by adopting constant-time string comparison () to defend against timing side-channel attacks. It also enforces a minimum strength requirement (at least 32 characters) on the configured admin bootstrap token.

✅ Solution

  • Adopted (on SHA-256 hashed tokens) for secure token matching.
  • Added validation to ensure the configured is at least 32 characters long. If not, the endpoint is disabled.
  • Added success and failure slog audit entries (without logging the secret token itself).
  • Added full test coverage for all match, mismatch, empty token, and short token configurations.

@Jagadeeshftw

Jagadeeshftw commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

hey @abdrassulov, thanks for the contribution! closing this one because we couldn't find a linked issue. to keep things organized: please comment on an open issue to get assigned first, then raise your pr referencing it. happy to see you back once you've been assigned!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abdrassulov @Jagadeeshftw