Prevent timing attack on usernames

influxdata · Jun 4, 2021 · f8f2cad · f8f2cad
1 parent 46f3b36
commit f8f2cad
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/plugins/common/auth/basic_auth.go b/plugins/common/auth/basic_auth.go
@@ -16,7 +16,8 @@ func (b *BasicAuth) Verify(r *http.Request) bool {
 	}
 
 	username, password, ok := r.BasicAuth()
-	return ok &&
-		subtle.ConstantTimeCompare([]byte(username), []byte(b.Username)) == 1 &&
-		subtle.ConstantTimeCompare([]byte(password), []byte(b.Password)) == 1
+
+	usernameComparison := subtle.ConstantTimeCompare([]byte(username), []byte(b.Username)) == 1
+	passwordComparison := subtle.ConstantTimeCompare([]byte(password), []byte(b.Password)) == 1
+	return ok && usernameComparison && passwordComparison
 }