Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync
Use constant time comparison for client secret verification
This commit is contained in:
commit
18d1f70cee
2 changed files with 4 additions and 1 deletions
|
@ -2,6 +2,7 @@ package server
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
|
"crypto/subtle"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
@ -678,7 +679,8 @@ func (s *Server) withClientFromStorage(w http.ResponseWriter, r *http.Request, h
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if client.Secret != clientSecret {
|
|
||||||
|
if subtle.ConstantTimeCompare([]byte(client.Secret), []byte(clientSecret)) != 1 {
|
||||||
if clientSecret == "" {
|
if clientSecret == "" {
|
||||||
s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
|
s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -204,6 +204,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
|
||||||
if c.Storage == nil {
|
if c.Storage == nil {
|
||||||
return nil, errors.New("server: storage cannot be nil")
|
return nil, errors.New("server: storage cannot be nil")
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(c.SupportedResponseTypes) == 0 {
|
if len(c.SupportedResponseTypes) == 0 {
|
||||||
c.SupportedResponseTypes = []string{responseTypeCode}
|
c.SupportedResponseTypes = []string{responseTypeCode}
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue