From f8ba6db3d6726038be5b26822d39bf1aa87f759e Mon Sep 17 00:00:00 2001 From: mkelvers Date: Tue, 26 May 2026 15:31:37 +0200 Subject: [PATCH] fix: use constant-time comparison for proxy token signature --- internal/playback/service/service.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/internal/playback/service/service.go b/internal/playback/service/service.go index 3f0e134..6fef801 100644 --- a/internal/playback/service/service.go +++ b/internal/playback/service/service.go @@ -78,11 +78,14 @@ func (s *playbackService) VerifyProxyToken(token string) (proxyTokenPayload, err if err != nil { return proxyTokenPayload{}, err } + decodedSig, err := base64.RawURLEncoding.DecodeString(parts[1]) + if err != nil { + return proxyTokenPayload{}, fmt.Errorf("invalid signature encoding: %w", err) + } mac := hmac.New(sha256.New, []byte(s.proxyTokenKey)) mac.Write(body) - signature := mac.Sum(nil) - encodedSig := base64.RawURLEncoding.EncodeToString(signature) - if encodedSig != parts[1] { + expectedSig := mac.Sum(nil) + if !hmac.Equal(expectedSig, decodedSig) { return proxyTokenPayload{}, fmt.Errorf("invalid signature") } var payload proxyTokenPayload