fix(auth): reorder password validation to enhance security against timing attacks

- Always perform bcrypt comparison before checking the username to mitigate potential timing attack vulnerabilities.
2026-03-27 03:21:09 +01:00 · 2026-02-15 20:02:19 +08:00
parent 154149b06d
commit f92e96831c
1 changed files with 4 additions and 3 deletions
--- a/internal/auth/userpass.go
+++ b/internal/auth/userpass.go
@@ -137,11 +137,12 @@ func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request)
 }

 func (auth *UserPassAuth) validatePassword(user, pass string) error {
-	if user != auth.username {
-		return ErrInvalidUsername
-	}
+	// always perform bcrypt comparison to avoid timing attacks
 	if err := bcrypt.CompareHashAndPassword(auth.pwdHash, []byte(pass)); err != nil {
 		return err
 	}
+	if user != auth.username {
+		return ErrInvalidUsername
+	}
 	return nil
 }