gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-12-29 10:44:25 +01:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity

fix(comparison): check all tokens, and do not short-circuit

Browse Source
This commit is contained in:
perfectra1n 2025-12-21 09:26:20 -08:00
parent 6fdd418edd
commit f45920e506
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
apps/server/src/services/etapi_tokens.ts
View File

@ -85,13 +85,14 @@ function isValidAuthHeader(auth: string | undefined) {
return constantTimeCompare(etapiToken.tokenHash, authTokenHash);
} else {
// Check ALL tokens to prevent timing attacks - do not short-circuit
let isValid = false;
for (const etapiToken of becca.getEtapiTokens()) {
if (constantTimeCompare(etapiToken.tokenHash, authTokenHash)) {
return true;
isValid = true;
}
}
return false;
return isValid;
}
}