Fixed ineffective constant-time-conparison protection

2025-10-11 15:57:08 +08:00 · 2025-09-23 20:56:58 +05:30 · 2025-09-23 20:56:58 +05:30 · 836a017f9d
commit 836a017f9d
parent 65eeaca312
1 changed files with 8 additions and 5 deletions
--- a/cmd/auth.go
+++ b/cmd/auth.go
@ -323,9 +323,17 @@ func (a *App) createOIDCUser(claims auth.OIDCclaim, c echo.Context) (auth.User,
 // doLogin logs a user in with a username and password.
 func (a *App) doLogin(c echo.Context) error {
 	var (
+		startTime = time.Now()
 		username = strings.TrimSpace(c.FormValue("username"))
 		password = strings.TrimSpace(c.FormValue("password"))
 	)
+	
+	// Ensure timing mitigation is applied regardless of early returns
+	defer func() {
+		if elapsed := time.Since(startTime).Milliseconds(); elapsed < 100 {
+			time.Sleep(time.Duration(100-elapsed) * time.Millisecond)
+		}
+	}()

 	if !strHasLen(username, 3, stdInputMaxLen) {
 		return echo.NewHTTPError(http.StatusBadRequest, a.i18n.Ts("globals.messages.invalidFields", "name", "username"))
@ -340,11 +348,6 @@ func (a *App) doLogin(c echo.Context) error {
 		return err
 	}

-	// Resist potential constant-time-comparison attacks with a min response time.
-	if ms := time.Since(time.Now()).Milliseconds(); ms < 100 {
-		time.Sleep(time.Duration(ms))
-	}
-
 	// Set the session in the DB and cookie.
 	if err := a.auth.SaveSession(user, "", c); err != nil {
 		return err