Skip to content

Commit

Permalink
Use safer secret checking
Browse files Browse the repository at this point in the history
  • Loading branch information
@tulir
tulir committed Dec 20, 2023
1 parent b1dd8ef commit 14fdfe0
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions internal/provider/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@ func GetProvider(code string) (*provider, bool) {
return p, exists
}

func calculateSecret(globalSecret []byte, code string) string {
func calculateSecret(globalSecret []byte, code string) []byte {
h := hmac.New(sha256.New, globalSecret)
h.Write([]byte(code))
return base64.RawStdEncoding.EncodeToString(h.Sum(nil))
return h.Sum(nil)
}

func RegisterProvider(data registerCommandData, provider *provider) (*registerCommandData, error) {
Expand All @@ -51,9 +51,13 @@ func RegisterProvider(data registerCommandData, provider *provider) (*registerCo
if err != nil {
return nil, err
}
data.Secret = calculateSecret(provider.globalSecret, data.Code)
data.Secret = base64.RawStdEncoding.EncodeToString(calculateSecret(provider.globalSecret, data.Code))
} else {
if calculateSecret(provider.globalSecret, data.Code) != data.Secret {
if len(data.Code) != 19 || len(data.Secret) > 64 {
return nil, fmt.Errorf("invalid secret")
}
decodedSecret, err := base64.RawStdEncoding.DecodeString(data.Secret)
if err != nil || !hmac.Equal(calculateSecret(provider.globalSecret, data.Code), decodedSecret) {
return nil, fmt.Errorf("invalid secret")
}
if existing, exists := codeToProvider[data.Code]; exists {
Expand Down

0 comments on commit 14fdfe0

Please sign in to comment.