diff --git a/src/Api/Controllers/AuthRequestsController.cs b/src/Api/Controllers/AuthRequestsController.cs index fca835af45..3b3e17f868 100644 --- a/src/Api/Controllers/AuthRequestsController.cs +++ b/src/Api/Controllers/AuthRequestsController.cs @@ -6,6 +6,7 @@ using Bit.Core.Exceptions; using Bit.Core.Repositories; using Bit.Core.Services; using Bit.Core.Settings; +using Bit.Core.Utilities; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; @@ -68,7 +69,7 @@ public class AuthRequestsController : Controller public async Task GetResponse(string id, [FromQuery] string code) { var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(id)); - if (authRequest == null || code != authRequest.AccessCode || authRequest.GetExpirationDate() < DateTime.UtcNow) + if (authRequest == null || !CoreHelpers.FixedTimeEquals(authRequest.AccessCode, code) || authRequest.GetExpirationDate() < DateTime.UtcNow) { throw new NotFoundException(); } diff --git a/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs b/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs index 67fc7268d8..827a904485 100644 --- a/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs +++ b/src/Core/LoginFeatures/PasswordlessLogin/VerifyAuthRequest.cs @@ -1,5 +1,6 @@ using Bit.Core.LoginFeatures.PasswordlessLogin.Interfaces; using Bit.Core.Repositories; +using Bit.Core.Utilities; namespace Bit.Core.LoginFeatures.PasswordlessLogin; @@ -15,7 +16,7 @@ public class VerifyAuthRequestCommand : IVerifyAuthRequestCommand public async Task VerifyAuthRequestAsync(Guid authRequestId, string accessCode) { var authRequest = await _authRequestRepository.GetByIdAsync(authRequestId); - if (authRequest == null || authRequest.AccessCode != accessCode) + if (authRequest == null || !CoreHelpers.FixedTimeEquals(authRequest.AccessCode, accessCode)) { return false; }