Merge 41293d4fc5 into 89aa5cd6e0

2025-12-22 17:49:15 +01:00 · 2025-11-21 13:28:25 +01:00 · 2025-11-21 13:28:25 +01:00 · 09509ee716
commit 09509ee716
parent 89aa5cd6e0 41293d4fc5
1 changed files with 2 additions and 2 deletions
--- a/api/account/login.go
+++ b/api/account/login.go
@ -18,8 +18,8 @@
 package account

 import (
-	"bytes"
 	"crypto/rand"
+	"crypto/subtle"
 	"database/sql"
 	"encoding/base64"
 	"errors"
@ -54,7 +54,7 @@ func Login[T LoginStore](store T, username, password string) (LoginResponse, err
 		return response, err
 	}

-	if !bytes.Equal(key, deriveArgon2IDKey([]byte(password), salt)) {
+	if subtle.ConstantTimeCompare(key, deriveArgon2IDKey([]byte(password), salt)) == 0 {
 		return response, fmt.Errorf("password doesn't match")
 	}