Fix(auth): use crypto/subtle to compare strings (#39)

* Fix(auth): use crypto/subtle to compare strings

Related: #37
Signed-off-by: till <[email protected]>

* Remove empty line

---------

Signed-off-by: till <[email protected]>
Co-authored-by: Friedrich Gonzalez <[email protected]>

Author: till

gateway/middleware.go

@@ -1,6 +1,7 @@
 package gateway
 
 import (
+	"crypto/subtle"
 	"net/http"
 
 	"github.com/cortexproject/auth-gateway/middleware"
@@ -53,14 +54,20 @@ func (tenant *Tenant) basicAuth(w http.ResponseWriter, r *http.Request) bool {
 		return false
 	}
 
-	if tenant.Username == username {
-		if tenant.Password == password {
-			r.Header.Set("X-Scope-OrgID", tenant.ID)
-			return true
-		} else {
-			return false
-		}
+	if !tenant.saveCompare(username, password) {
+		return false
 	}
 
+	r.Header.Set("X-Scope-OrgID", tenant.ID)
+	return true
+}
+
+// attempt to mitigate timing attacks
+func (tenant *Tenant) saveCompare(username, password string) bool {
+	userNameCheck := subtle.ConstantTimeCompare([]byte(tenant.Username), []byte(username))
+	passwordCheck := subtle.ConstantTimeCompare([]byte(tenant.Password), []byte(password))
+	if userNameCheck == 1 && passwordCheck == 1 {
+		return true
+	}
 	return false
 }