eightball/PluralKit
1
0
Fork 0
mirror of https://github.com/PluralKit/PluralKit.git synced 2026-02-04 04:56:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix(api): use constant time comparison for tokens

Browse source
This commit is contained in:
alyssa 2025-08-08 20:36:51 +00:00 committed by Iris System
parent 0f0577c758
commit 18bdd78b67
3 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Cargo.lock generated
View file

@ -95,6 +95,7 @@ dependencies = [
"serde_json", "serde_json",
"serde_urlencoded", "serde_urlencoded",
"sqlx", "sqlx",
"subtle",
"tokio", "tokio",
"tower 0.4.13", "tower 0.4.13",
"tower-http", "tower-http",

1
crates/api/Cargo.toml
View file

@ -26,3 +26,4 @@ reverse-proxy-service = { version = "0.2.1", features = ["axum"] }
serde_urlencoded = "0.7.1" serde_urlencoded = "0.7.1"
tower = "0.4.13" tower = "0.4.13"
tower-http = { version = "0.5.2", features = ["catch-panic"] } tower-http = { version = "0.5.2", features = ["catch-panic"] }
subtle = "2.6.1"

9
crates/api/src/middleware/auth.rs
View file

@ -5,6 +5,8 @@ use axum::{
response::Response, response::Response,
}; };
use subtle::ConstantTimeEq;
use tracing::error; use tracing::error;
use crate::auth::AuthState; use crate::auth::AuthState;
@ -48,9 +50,10 @@ pub async fn auth(State(ctx): State<ApiContext>, mut req: Request, next: Next) -
.expect("missing api config") .expect("missing api config")
.temp_token2 .temp_token2
.as_ref() .as_ref()
// this is NOT how you validate tokens && app_auth_header
// but this is low abuse risk so we're keeping it for now .as_bytes()
&& app_auth_header == config_token2 .ct_eq(config_token2.as_bytes())
.into()
{ {
authed_app_id = Some(1); authed_app_id = Some(1);
} }