From 31fc0e57abeb699781c1c5a76347868d277b62e6 Mon Sep 17 00:00:00 2001
From: InnovativeInventor <theinnovativeinventor@gmail.com>
Date: Sun, 15 Dec 2019 10:22:02 -0500
Subject: [PATCH] Fixed potential timing attack

---
 handlers/handlers.go | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/handlers/handlers.go b/handlers/handlers.go
index 18cc1bef..51b6d13b 100644
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@@ -16,19 +16,21 @@
 package handlers
 
 import (
+	"crypto/subtle"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"github.com/gorilla/sessions"
-	"github.com/hunterlong/statping/core"
-	"github.com/hunterlong/statping/source"
-	"github.com/hunterlong/statping/types"
-	"github.com/hunterlong/statping/utils"
 	"html/template"
 	"net/http"
 	"os"
 	"strings"
 	"time"
+
+	"github.com/gorilla/sessions"
+	"github.com/hunterlong/statping/core"
+	"github.com/hunterlong/statping/source"
+	"github.com/hunterlong/statping/types"
+	"github.com/hunterlong/statping/utils"
 )
 
 const (
@@ -105,14 +107,14 @@ func IsReadAuthenticated(r *http.Request) bool {
 	var token string
 	query := r.URL.Query()
 	key := query.Get("api")
-	if key == core.CoreApp.ApiKey {
+	if subtle.ConstantTimeCompare([]byte(key), []byte(core.CoreApp.ApiKey)) == 1 {
 		return true
 	}
 	tokens, ok := r.Header["Authorization"]
 	if ok && len(tokens) >= 1 {
 		token = tokens[0]
 		token = strings.TrimPrefix(token, "Bearer ")
-		if token == core.CoreApp.ApiKey {
+		if subtle.ConstantTimeCompare([]byte(token), []byte(core.CoreApp.ApiKey)) == 1 {
 			return true
 		}
 	}
@@ -136,7 +138,7 @@ func IsFullAuthenticated(r *http.Request) bool {
 	if ok && len(tokens) >= 1 {
 		token = tokens[0]
 		token = strings.TrimPrefix(token, "Bearer ")
-		if token == core.CoreApp.ApiSecret {
+		if subtle.ConstantTimeCompare([]byte(token), []byte(core.CoreApp.ApiKey)) == 1 {
 			return true
 		}
 	}