fix: use constant time comparison when checking for unhashed tokens

gwossum · gwossum · commit 5988c963a7f0 · 2025-11-20T13:40:04.000-06:00
diff --git a/authorization/storage_authorization.go b/authorization/storage_authorization.go
@@ -705,7 +705,7 @@ func (s *Store) filterAuthorizationsFn(filter influxdb.AuthorizationFilter) func
 		}
 
 		return func(a *influxdb.Authorization) bool {
-			if a.Token == token {
+			if subtle.ConstantTimeCompare([]byte(a.Token), []byte(token)) == 1 {
 				return true
 			}
 			return slices.Contains(allHashes, a.HashedToken)

Original file line number	Diff line number	Diff line change
`@@ -705,7 +705,7 @@ func (s *Store) filterAuthorizationsFn(filter influxdb.AuthorizationFilter) func`
`705`	`705`	`}`
`706`	`706`
`707`	`707`	`return func(a *influxdb.Authorization) bool {`
`708`		`- if a.Token == token {`
	`708`	`+ if subtle.ConstantTimeCompare([]byte(a.Token), []byte(token)) == 1 {`
`709`	`709`	`return true`
`710`	`710`	`}`
`711`	`711`	`return slices.Contains(allHashes, a.HashedToken)`