Summary

Prevent timing attacks when validating credentials

Review Request #9795 — Created March 16, 2018 and submitted April 6, 2018, 1:30 p.m.

Information

Owner

brennie

Repository

rb-gateway

Branch

master

Bugs

Depends On

~~9840~~

Blocks

9834

Commit

6ce24af...

Reviewers

Groups

rb-gateway

People

Description

We now use constant time comparison to compare the credentials to the
configuration. We also do not short circuit the operation in the case
that the username is incorrect.

Testing Done

Ran unit tests.

flake8 passed.

JSHint passed.

Depends On:

+	~~9782 - Remove reliance on global state~~

```
Ship It!
```

Depends On:

-	~~9782 - Remove reliance on global state~~
+	~~9840 - Ensure we log all requests~~

Change Summary:

Rebasing all patches.

Commit:

-	8d1626a2cfcd932b022f50ab2ba682ac70d2174b
+	b6187a8f328fc5307c0030efc06e3369b4973dc0

Diff:

Revision 2 (+5 -1)

Show changes

api/api.go

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Change Summary:

Fix Config  -> config from rebase.

Commit:

-	b6187a8f328fc5307c0030efc06e3369b4973dc0
+	6ce24af7a928e4c0757c9a1129cd822cecdc7ad5

Diff:

Revision 3 (+5 -1)

Show changes

api/api.go

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to master (c5f9103)