Merge pull request #296 from USACE/chore/constant-time-compare

dennisgsmith · web-flow · commit ac516a199117 · 2025-12-15T22:56:22.000-05:00
chore(api): constant time compare
diff --git a/api/internal/middleware/key.go b/api/internal/middleware/key.go
@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"context"
+	"crypto/subtle"
 	"errors"
 
 	"github.com/USACE/instrumentation-api/api/v4/internal/ctxkey"
@@ -13,10 +14,12 @@ import (
 // AppKeyAuth does a key check for ?key=<ApplicationKey>
 func (m *apiMw) AppKeyAuth(ctx huma.Context, next func(huma.Context)) {
 	provided := ctx.Query("key")
-	if provided == m.Config.ApplicationKey && provided != "" {
-		newCtx := context.WithValue(ctx.Context(), ctxkey.AppKeyAuthSuccess, true)
-		next(huma.WithContext(ctx, newCtx))
-		return
+	if provided != "" {
+		if res := subtle.ConstantTimeCompare([]byte(provided), []byte(m.Config.ApplicationKey)); res == 1 {
+			newCtx := context.WithValue(ctx.Context(), ctxkey.AppKeyAuthSuccess, true)
+			next(huma.WithContext(ctx, newCtx))
+			return
+		}
 	}
 
 	m.httperr.SetResponse(ctx, httperr.Unauthorized(errors.New("Unauthorized: invalid or missing key")))
@@ -32,7 +35,7 @@ func (m *apiMw) keyAuth(isDisabled bool, appKey string, h HashExtractorFunc) fun
 			return
 		}
 
-		if providedKey == appKey {
+		if res := subtle.ConstantTimeCompare([]byte(providedKey), []byte(appKey)); res == 1 {
 			newCtx := context.WithValue(ctx.Context(), ctxkey.AppKeyAuthSuccess, true)
 			next(huma.WithContext(ctx, newCtx))
 			return
