eightball/PluralKit
1
0
Fork 0
mirror of https://github.com/PluralKit/PluralKit.git synced 2026-02-08 06:47:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(api): use constant time comparison for tokens

Browse source
This commit is contained in:
alyssa 2025-08-08 20:36:51 +00:00
parent 2d40a1ee16
commit 9c1acd84e1
3 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
crates/api/src/middleware/auth.rs
View file

@ -5,6 +5,8 @@ use axum::{
response::Response,
};
use subtle::ConstantTimeEq;
use tracing::error;
use crate::auth::AuthState;
@ -48,9 +50,10 @@ pub async fn auth(State(ctx): State<ApiContext>, mut req: Request, next: Next) -
.expect("missing api config")
.temp_token2
.as_ref()
// this is NOT how you validate tokens
// but this is low abuse risk so we're keeping it for now
&& app_auth_header == config_token2
&& app_auth_header
.as_bytes()
.ct_eq(config_token2.as_bytes())
.into()
{
authed_app_id = Some(1);
}