jostreff/wireguard-ui
1
0
Fork 0
mirror of https://github.com/ngoduykhanh/wireguard-ui.git synced 2025-04-19 19:59:13 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use ConstantTimeCompare to make the login more secure and not leak information about the used password (#205)

Browse source
This commit is contained in:
Marcus Wichelmann 2022-07-14 08:35:58 +02:00 committed by GitHub
parent f43c59c043
commit 97652be545
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
handler/routes.go
View file

@ -1,6 +1,7 @@
package handler
import (
"crypto/subtle"
"encoding/base64"
"encoding/json"
"fmt"
@ -49,7 +50,9 @@ func Login(db store.IStore) echo.HandlerFunc {
return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
}
if user.Username == dbuser.Username && user.Password == dbuser.Password {
userCorrect := subtle.ConstantTimeCompare([]byte(user.Username), []byte(dbuser.Username)) == 1
passwordCorrect := subtle.ConstantTimeCompare([]byte(user.Password), []byte(dbuser.Password)) == 1
if userCorrect && passwordCorrect {
// TODO: refresh the token
sess, _ := session.Get("session", c)
sess.Options = &sessions.Options{