Skip to content

Use constant-time comparison for basic auth password check #475

Description

@ChristianPavilonis

Context

crates/common/src/auth.rs:17 compares the basic auth password using standard ==, which is susceptible to timing side-channel attacks. While low severity behind TLS with basic auth, this was noted during the PR #468 review (which focused on improving secret handling).

Proposal

Use subtle::ConstantTimeEq or an equivalent constant-time comparison for the password check in enforce_basic_auth as a defense-in-depth measure.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions