fix: 增强认证逻辑安全性 (#169)

Author: tbphp

internal/handler/handler.go

@@ -2,6 +2,7 @@
 package handler
 
 import (
+	"crypto/subtle"
 	"net/http"
 	"time"
 
@@ -83,15 +84,17 @@ func (s *Server) Login(c *gin.Context) {
 
 	authConfig := s.config.GetAuthConfig()
 
-	if req.AuthKey == authConfig.Key {
+	isValid := subtle.ConstantTimeCompare([]byte(req.AuthKey), []byte(authConfig.Key)) == 1
+
+	if isValid {
 		c.JSON(http.StatusOK, LoginResponse{
 			Success: true,
 			Message: "Authentication successful",
 		})
 	} else {
 		c.JSON(http.StatusUnauthorized, LoginResponse{
 			Success: false,
-			Message: "Invalid authentication key",
+			Message: "Authentication failed",
 		})
 	}
 }

internal/middleware/middleware.go

@@ -2,6 +2,7 @@
 package middleware
 
 import (
+	"crypto/subtle"
 	"fmt"
 	"strings"
 	"time"
@@ -126,7 +127,9 @@ func Auth(authConfig types.AuthConfig) gin.HandlerFunc {
 
 		key := extractAuthKey(c)
 
-		if key == "" || key != authConfig.Key {
+		isValid := key != "" && subtle.ConstantTimeCompare([]byte(key), []byte(authConfig.Key)) == 1
+
+		if !isValid {
 			response.Error(c, app_errors.ErrUnauthorized)
 			c.Abort()
 			return
@@ -154,14 +157,11 @@ func ProxyAuth(gm *services.GroupManager) gin.HandlerFunc {
 			return
 		}
 
-		// Then check System-wide keys (O(1) lookup)
-		if _, ok := group.EffectiveConfig.ProxyKeysMap[key]; ok {
-			c.Next()
-			return
-		}
+		// Check both key collections to prevent timing attacks
+		_, existsInEffective := group.EffectiveConfig.ProxyKeysMap[key]
+		_, existsInGroup := group.ProxyKeysMap[key]
 
-		// Check Group keys first (O(1) lookup)
-		if _, ok := group.ProxyKeysMap[key]; ok {
+		if existsInEffective || existsInGroup {
 			c.Next()
 			return
 		}