From 11975d79116669d68a1c2d6c7c1bc30d4d9699e7 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sun, 30 Apr 2023 21:08:36 +0200
Subject: [PATCH] use constant-time hash comparison

---
 internal/db/user.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/internal/db/user.go b/internal/db/user.go
index 4c757d7..bb307f7 100644
--- a/internal/db/user.go
+++ b/internal/db/user.go
@@ -1,8 +1,8 @@
 package db
 
 import (
-	"bytes"
 	"crypto/rand"
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -111,8 +111,7 @@ func comparePassword(hashedPassword string, password string) (bool, error) {
 	computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
 
 	// Compare the computed hash with the stored hash
-	// todo constant time?
-	return bytes.Equal(hash, computedHash), nil
+	return subtle.ConstantTimeCompare(hash, computedHash) == 1, nil
 }
 
 // DeleteUser deletes a user with the specified username from the database.