fix: use constant-time comparison for proxy token signature
This commit is contained in:
@@ -78,11 +78,14 @@ func (s *playbackService) VerifyProxyToken(token string) (proxyTokenPayload, err
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return proxyTokenPayload{}, err
|
return proxyTokenPayload{}, err
|
||||||
}
|
}
|
||||||
|
decodedSig, err := base64.RawURLEncoding.DecodeString(parts[1])
|
||||||
|
if err != nil {
|
||||||
|
return proxyTokenPayload{}, fmt.Errorf("invalid signature encoding: %w", err)
|
||||||
|
}
|
||||||
mac := hmac.New(sha256.New, []byte(s.proxyTokenKey))
|
mac := hmac.New(sha256.New, []byte(s.proxyTokenKey))
|
||||||
mac.Write(body)
|
mac.Write(body)
|
||||||
signature := mac.Sum(nil)
|
expectedSig := mac.Sum(nil)
|
||||||
encodedSig := base64.RawURLEncoding.EncodeToString(signature)
|
if !hmac.Equal(expectedSig, decodedSig) {
|
||||||
if encodedSig != parts[1] {
|
|
||||||
return proxyTokenPayload{}, fmt.Errorf("invalid signature")
|
return proxyTokenPayload{}, fmt.Errorf("invalid signature")
|
||||||
}
|
}
|
||||||
var payload proxyTokenPayload
|
var payload proxyTokenPayload
|
||||||
|
|||||||
Reference in New Issue
Block a user