fix: use constant time in user checks (#1004)

This commit is contained in:
Stavros
2026-07-14 16:49:59 +03:00
committed by GitHub
parent d946926c36
commit c22925c2fb
6 changed files with 33 additions and 5 deletions
@@ -2,6 +2,7 @@ package middleware
import (
"context"
"errors"
"fmt"
"net/http"
"strings"
@@ -244,6 +245,9 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
search, err := m.auth.SearchUser(username)
if err != nil {
if errors.Is(err, service.ErrUserNotFound) {
m.auth.DummyPasswordCheck(password)
}
return nil, nil, fmt.Errorf("error searching for user: %w", err)
}
@@ -264,7 +264,8 @@ func TestContextMiddleware(t *testing.T) {
Runtime: &runtime,
Ctx: ctx,
})
authService := service.NewAuthService(service.AuthServiceInput{
authService, err := service.NewAuthService(service.AuthServiceInput{
Log: log,
Config: &cfg,
Runtime: &runtime,
@@ -277,6 +278,8 @@ func TestContextMiddleware(t *testing.T) {
PolicyEngine: policyEngine,
})
require.NoError(t, err)
contextMiddleware := NewContextMiddleware(ContextMiddlewareInput{
Log: log,
RuntimeConfig: &runtime,