From f45920e506aed589749f95944263f751eb07a6df Mon Sep 17 00:00:00 2001
From: perfectra1n <jonfuller2012@gmail.com>
Date: Sun, 21 Dec 2025 09:26:20 -0800
Subject: [PATCH] fix(comparison): check all tokens, and do not short-circuit

---
 apps/server/src/services/etapi_tokens.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/apps/server/src/services/etapi_tokens.ts b/apps/server/src/services/etapi_tokens.ts
index 304691c7d..30beb5517 100644
--- a/apps/server/src/services/etapi_tokens.ts
+++ b/apps/server/src/services/etapi_tokens.ts
@@ -85,13 +85,14 @@ function isValidAuthHeader(auth: string | undefined) {
 
         return constantTimeCompare(etapiToken.tokenHash, authTokenHash);
     } else {
+        // Check ALL tokens to prevent timing attacks - do not short-circuit
+        let isValid = false;
         for (const etapiToken of becca.getEtapiTokens()) {
             if (constantTimeCompare(etapiToken.tokenHash, authTokenHash)) {
-                return true;
+                isValid = true;
             }
         }
-
-        return false;
+        return isValid;
     }
 }