From b0797e2bf943db6eace97e2f372898269afbb147 Mon Sep 17 00:00:00 2001 From: Manu Mtz-Almeida Date: Tue, 1 Jul 2014 22:58:29 +0200 Subject: [PATCH] Fixes Basic HTTP Authorization middleware --- auth.go | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/auth.go b/auth.go index c6a5291a..eab1d946 100644 --- a/auth.go +++ b/auth.go @@ -7,6 +7,10 @@ import ( "sort" ) +const ( + AuthUserKey = "user" +) + type ( BasicAuthPair struct { Code string @@ -43,16 +47,22 @@ func processCredentials(accounts Accounts) (Pairs, error) { return pairs, nil } +func secureCompare(given, actual string) bool { + if subtle.ConstantTimeEq(int32(len(given)), int32(len(actual))) == 1 { + return subtle.ConstantTimeCompare([]byte(given), []byte(actual)) == 1 + } else { + /* Securely compare actual to itself to keep constant time, but always return false */ + return subtle.ConstantTimeCompare([]byte(actual), []byte(actual)) == 1 && false + } +} + func searchCredential(pairs Pairs, auth string) string { if len(auth) == 0 { return "" } // Search user in the slice of allowed credentials r := sort.Search(len(pairs), func(i int) bool { return pairs[i].Code >= auth }) - - if r < len(pairs) && subtle.ConstantTimeCompare([]byte(pairs[r].Code), []byte(auth)) == 1 { - // user is allowed, set UserId to key "user" in this context, the userId can be read later using - // c.Get("user" + if r < len(pairs) && secureCompare(pairs[r].Code, auth) { return pairs[r].User } else { return "" @@ -76,8 +86,8 @@ func BasicAuth(accounts Accounts) HandlerFunc { c.Fail(401, errors.New("Unauthorized")) } else { // user is allowed, set UserId to key "user" in this context, the userId can be read later using - // c.Get("user") - c.Set("user", user) + // c.Get(gin.AuthUserKey) + c.Set(AuthUserKey, user) } } }