Context
crates/common/src/auth.rs:17 compares the basic auth password using standard ==, which is susceptible to timing side-channel attacks. While low severity behind TLS with basic auth, this was noted during the PR #468 review (which focused on improving secret handling).
Proposal
Use subtle::ConstantTimeEq or an equivalent constant-time comparison for the password check in enforce_basic_auth as a defense-in-depth measure.
References
Context
crates/common/src/auth.rs:17compares the basic auth password using standard==, which is susceptible to timing side-channel attacks. While low severity behind TLS with basic auth, this was noted during the PR #468 review (which focused on improving secret handling).Proposal
Use
subtle::ConstantTimeEqor an equivalent constant-time comparison for the password check inenforce_basic_authas a defense-in-depth measure.References