starred/godoxy-yusing
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-04-25 09:48:32 +02:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity

fix(auth): reorder password validation to enhance security against timing attacks

Browse Source 
- Always perform bcrypt comparison before checking the username to mitigate potential timing attack vulnerabilities.
This commit is contained in:
yusing
2026-02-15 20:02:19 +08:00
parent 154149b06d
commit f92e96831c
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/auth/userpass.go
View File

@@ -137,11 +137,12 @@ func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request)
} }
func (auth *UserPassAuth) validatePassword(user, pass string) error { func (auth *UserPassAuth) validatePassword(user, pass string) error {
if user != auth.username { // always perform bcrypt comparison to avoid timing attacks
return ErrInvalidUsername
}
if err := bcrypt.CompareHashAndPassword(auth.pwdHash, []byte(pass)); err != nil { if err := bcrypt.CompareHashAndPassword(auth.pwdHash, []byte(pass)); err != nil {
return err return err
} }
if user != auth.username {
return ErrInvalidUsername
}
return nil return nil
} }