fix: use constant-time comparison for admin secret by lakhansamani · Pull Request #490

fix: use constant-time comparison for admin secret by lakhansamani · Pull Request #490 · authorizerdev/authorizer

Merged

lakhansamani merged 3 commits intomainfrom

fix/admin-secret-constant-time-compare

Mar 1, 2026

Merged

fix: use constant-time comparison for admin secret#490
lakhansamani merged 3 commits intomainfrom
fix/admin-secret-constant-time-compare

Conversation

Copy link Copy Markdown

Contributor

lakhansamani commented
Mar 1, 2026

Summary

Replaced secret == p.config.AdminSecret with crypto/subtle.ConstantTimeCompare
Prevents timing side-channel attacks on admin secret verification

Test plan

Verify admin authentication still works correctly
Verify invalid admin secrets are rejected

Fixes #479

lakhansamani added 3 commits

March 1, 2026 11:47

fix: use constant-time comparison for admin secret

971b318

Replaced direct string comparison with crypto/subtle.ConstantTimeCompare
to prevent timing side-channel attacks on admin secret verification.

Fixes #479

Merge branch 'main' into fix/admin-secret-constant-time-compare

7d6fc08

test: add tests for admin secret header authentication

7f5ea2b

lakhansamani merged commit 844dadd into main

Mar 1, 2026

lakhansamani deleted the fix/admin-secret-constant-time-compare branch

March 1, 2026 07:02

Labels

None yet

Navigation Menu

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: use constant-time comparison for admin secret#490
lakhansamani merged 3 commits intomainfrom
fix/admin-secret-constant-time-compare

Conversation

lakhansamani commented
Mar 1, 2026

Summary

Test plan

Reviewers

Assignees

Labels

Projects

Milestone

Development

1 participant

Conversation

lakhansamani commented Mar 1, 2026

Summary

Test plan

Reviewers

Assignees

Labels

Projects

Milestone

Development

1 participant

lakhansamani commented
Mar 1, 2026