mirrors/invidious
1
0
Fork 0
mirror of https://github.com/iv-org/invidious.git synced 2025-08-05 12:18:30 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Verify token signature in constant time

Browse Source 
To prevent timing side channel attacks
This commit is contained in:
Leon Klingele 2020-02-15 20:01:08 +01:00
parent 856ec03cc7
commit 34dee6d293
No known key found for this signature in database
GPG Key ID: 0C8AF48831EEC211
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/invidious/helpers/tokens.cr
View File

@ -1,3 +1,5 @@
require "crypto/subtle"
def generate_token(email, scopes, expire, key, db)
session = "v1:#{Base64.urlsafe_encode(Random::Secure.random_bytes(32))}"
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", session, email, Time.utc)
@ -76,7 +78,7 @@ def validate_request(token, session, request, key, db, locale = nil)
raise translate(locale, "Hidden field \"token\" is a required field")
end
if token["signature"] != sign_token(key, token)
if !Crypto::Subtle.constant_time_compare(token["signature"].to_s, sign_token(key, token))
raise translate(locale, "Invalid signature")
end