protect against timing attacks for admin keys (#766)

2026-04-20 00:35:22 +00:00 · 2026-01-03 10:45:11 -05:00 · 2026-01-03 10:45:11 -05:00 · 6b56134df4
commit 6b56134df4
parent 097e48471f
1 changed files with 2 additions and 1 deletions
--- a/app/controllers/api/admin/application_controller.rb
+++ b/app/controllers/api/admin/application_controller.rb
@ -9,7 +9,8 @@ module Api

      def authenticate_admin_api_key!
        authenticate_or_request_with_http_token do |token, options|
-          @admin_api_key = AdminApiKey.active.find_by(token: token)
+          admin_api_key = AdminApiKey.active.find { |key| ActiveSupport::SecurityUtils.secure_compare(key.token, token) }
+          @admin_api_key = admin_api_key

          if @admin_api_key
            @current_user = @admin_api_key.user