Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2026-03-11 14:40:22 +01:00
Code Issues Packages Projects Releases Activity

fix(comparison): check all tokens, and do not short-circuit

Browse Source
This commit is contained in:
perfectra1n
2025-12-21 09:26:20 -08:00
parent 6fdd418edd
commit f45920e506
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
apps/server/src/services/etapi_tokens.ts
View File

@@ -85,13 +85,14 @@ function isValidAuthHeader(auth: string | undefined) {
return constantTimeCompare(etapiToken.tokenHash, authTokenHash);
} else {
// Check ALL tokens to prevent timing attacks - do not short-circuit
let isValid = false;
for (const etapiToken of becca.getEtapiTokens()) {
if (constantTimeCompare(etapiToken.tokenHash, authTokenHash)) {
return true;
isValid = true;
}
}
return false;
return isValid;
}
}