diff --git a/services/backup/Cargo.lock b/services/backup/Cargo.lock --- a/services/backup/Cargo.lock +++ b/services/backup/Cargo.lock @@ -960,6 +960,7 @@ "base64 0.21.2", "bytes", "chrono", + "constant_time_eq", "derive_more", "futures-core", "futures-util", @@ -973,6 +974,12 @@ "tracing", ] +[[package]] +name = "constant_time_eq" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" + [[package]] name = "convert_case" version = "0.4.0" diff --git a/services/blob/Cargo.lock b/services/blob/Cargo.lock --- a/services/blob/Cargo.lock +++ b/services/blob/Cargo.lock @@ -1023,6 +1023,7 @@ "aws-types", "base64 0.21.0", "chrono", + "constant_time_eq", "derive_more", "futures-core", "futures-util", @@ -1035,6 +1036,12 @@ "tracing", ] +[[package]] +name = "constant_time_eq" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" + [[package]] name = "convert_case" version = "0.4.0" diff --git a/services/comm-services-lib/Cargo.lock b/services/comm-services-lib/Cargo.lock --- a/services/comm-services-lib/Cargo.lock +++ b/services/comm-services-lib/Cargo.lock @@ -859,6 +859,7 @@ "base64 0.21.0", "bytes", "chrono", + "constant_time_eq", "derive_more", "futures-core", "futures-util", @@ -872,6 +873,12 @@ "tracing", ] +[[package]] +name = "constant_time_eq" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" + [[package]] name = "convert_case" version = "0.4.0" diff --git a/services/comm-services-lib/Cargo.toml b/services/comm-services-lib/Cargo.toml --- a/services/comm-services-lib/Cargo.toml +++ b/services/comm-services-lib/Cargo.toml @@ -31,6 +31,7 @@ aws-types = "0.55" base64 = "0.21" chrono = "0.4" +constant_time_eq = "0.3" derive_more = "0.99" rand = "0.8" tokio = "1.32" diff --git a/services/comm-services-lib/src/auth.rs b/services/comm-services-lib/src/auth.rs --- a/services/comm-services-lib/src/auth.rs +++ b/services/comm-services-lib/src/auth.rs @@ -1,4 +1,5 @@ use base64::{prelude::BASE64_STANDARD, Engine}; +use constant_time_eq::constant_time_eq; use derive_more::{Display, Error, From}; use serde::{Deserialize, Serialize}; use std::{str::FromStr, string::FromUtf8Error}; @@ -20,7 +21,7 @@ ServicesToken(ServicesAuthToken), } -#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)] +#[derive(Debug, Clone, Serialize, Deserialize, derive_more::Constructor)] pub struct ServicesAuthToken { #[serde(rename = "servicesToken")] token_value: String, @@ -50,6 +51,12 @@ } } +impl PartialEq for ServicesAuthToken { + fn eq(&self, other: &Self) -> bool { + constant_time_eq(self.token_value.as_bytes(), other.token_value.as_bytes()) + } +} + /// This implements [`actix_web::FromRequest`], so it can be used to extract user /// identity information from HTTP requests. /// # Example diff --git a/services/commtest/Cargo.lock b/services/commtest/Cargo.lock --- a/services/commtest/Cargo.lock +++ b/services/commtest/Cargo.lock @@ -631,6 +631,7 @@ "aws-types", "base64 0.21.3", "chrono", + "constant_time_eq", "derive_more", "rand", "serde", @@ -677,6 +678,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "28c122c3980598d243d63d9a704629a2d748d101f278052ff068be5a4423ab6f" +[[package]] +name = "constant_time_eq" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" + [[package]] name = "convert_case" version = "0.4.0" diff --git a/services/feature-flags/Cargo.lock b/services/feature-flags/Cargo.lock --- a/services/feature-flags/Cargo.lock +++ b/services/feature-flags/Cargo.lock @@ -757,6 +757,7 @@ "aws-types", "base64", "chrono", + "constant_time_eq", "derive_more", "rand", "serde", @@ -765,6 +766,12 @@ "tracing", ] +[[package]] +name = "constant_time_eq" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" + [[package]] name = "convert_case" version = "0.4.0" diff --git a/services/reports/Cargo.lock b/services/reports/Cargo.lock --- a/services/reports/Cargo.lock +++ b/services/reports/Cargo.lock @@ -956,6 +956,7 @@ "base64 0.21.3", "bytes", "chrono", + "constant_time_eq", "derive_more", "futures-core", "futures-util", @@ -969,6 +970,12 @@ "tracing", ] +[[package]] +name = "constant_time_eq" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" + [[package]] name = "convert_case" version = "0.4.0"