Skip to content
Snippets Groups Projects
Unverified Commit 18d1f70c authored by Márk Sági-Kazár's avatar Márk Sági-Kazár Committed by GitHub
Browse files

Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync

Use constant time comparison for client secret verification
parents 283dd89f fe8085b8
No related branches found
No related tags found
No related merge requests found
...@@ -2,6 +2,7 @@ package server ...@@ -2,6 +2,7 @@ package server
import ( import (
"crypto/sha256" "crypto/sha256"
"crypto/subtle"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
...@@ -678,7 +679,8 @@ func (s *Server) withClientFromStorage(w http.ResponseWriter, r *http.Request, h ...@@ -678,7 +679,8 @@ func (s *Server) withClientFromStorage(w http.ResponseWriter, r *http.Request, h
} }
return return
} }
if client.Secret != clientSecret {
if subtle.ConstantTimeCompare([]byte(client.Secret), []byte(clientSecret)) != 1 {
if clientSecret == "" { if clientSecret == "" {
s.logger.Infof("missing client_secret on token request for client: %s", client.ID) s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
} else { } else {
......
...@@ -204,6 +204,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) ...@@ -204,6 +204,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
if c.Storage == nil { if c.Storage == nil {
return nil, errors.New("server: storage cannot be nil") return nil, errors.New("server: storage cannot be nil")
} }
if len(c.SupportedResponseTypes) == 0 { if len(c.SupportedResponseTypes) == 0 {
c.SupportedResponseTypes = []string{responseTypeCode} c.SupportedResponseTypes = []string{responseTypeCode}
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment