vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README
commit c99df1c310d7ba7a9fbe9026646f8a951b1596c9
parent 591ae101448a19555fce5bca4f5caed0ff82457c
Author: vpl <vpl@vpl.me>
Date:   Mon, 26 Aug 2019 20:22:04 +0200

Compare token using crypto::ct_eq

Diffstat:

Msrc/api/core/two_factor/email.rs | 4++--


1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/api/core/two_factor/email.rs b/src/api/core/two_factor/email.rs
@@ -181,7 +181,7 @@ fn email(data: JsonUpcase<EmailData>, headers: Headers, conn: DbConn) -> JsonRes
         _ => err!("No token available"),
     };
 
-    if issued_token != &data.Token {
+    if !crypto::ct_eq(issued_token, data.Token) {
         err!("Token is invalid")
     }
 
@@ -206,7 +206,7 @@ pub fn validate_email_code_str(user_uuid: &str, token: &str, data: &str, conn: &
         _ => err!("No token available"),
     };
 
-    if issued_token != &*token {
+    if !crypto::ct_eq(issued_token, token) {
         email_data.add_attempt();
         if email_data.attempts >= CONFIG.email_attempts_limit() {
             email_data.reset_token();