From d484219c483507d3876d959bf068bee85cb4ab05 Mon Sep 17 00:00:00 2001
From: NewbieOrange <NewbieOrange@users.noreply.github.com>
Date: Mon, 6 Mar 2023 23:41:06 +0800
Subject: [PATCH] fix(security): compare auth token in constant time (#3740
 close #3739)

---
 server/middlewares/auth.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/middlewares/auth.go b/server/middlewares/auth.go
index 53834874304..7107737878b 100644
--- a/server/middlewares/auth.go
+++ b/server/middlewares/auth.go
@@ -1,6 +1,8 @@
 package middlewares
 
 import (
+	"crypto/subtle"
+
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
@@ -14,7 +16,7 @@ import (
 // if token is empty, set user to guest
 func Auth(c *gin.Context) {
 	token := c.GetHeader("Authorization")
-	if token == setting.GetStr(conf.Token) {
+	if subtle.ConstantTimeCompare([]byte(token), []byte(setting.GetStr(conf.Token))) == 1 {
 		admin, err := op.GetAdmin()
 		if err != nil {
 			common.ErrorResp(c, err, 500)