Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent timing attacks on access token verification #6

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

awestendorf
Copy link
Member

Addresses the potential of an HMAC timing attack #5

@tmclaugh
Copy link

Any reason this PR is still outstanding?

@awestendorf
Copy link
Member Author

Even though it's a small change and I've tested in lua proper, ensuring that the change is working within nginx requires integration testing. That requires a build of nginx with lua support and a host that I can connect to Google. Since around the time of this PR the test environment I had been using is gone and I just haven't built a new one as this PR fell through the cracks. If anyone has a chance to test it and can report back, that would be helpful.

@tmclaugh
Copy link

Thanks. We're looking at this right now for a handful of internal apps. I'll see if I can have someone test this out.

Base automatically changed from master to main March 11, 2021 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants