use fixed-time comparison of secrets (#1698)

2025-06-30 15:42:48 -05:00 · 2021-11-08 15:55:42 -05:00
parent c07794e907
commit 7cc7b84eaf
8 changed files with 18 additions and 8 deletions
--- a/src/Api/Utilities/ApiHelpers.cs
+++ b/src/Api/Utilities/ApiHelpers.cs
@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Http;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Azure.EventGrid;
 using Microsoft.Azure.EventGrid.Models;
@ -48,7 +49,7 @@ namespace Bit.Api.Utilities
        {
            var queryKey = request.Query["key"];

-            if (queryKey != EventGridKey)
+            if (!CoreHelpers.FixedTimeEquals(queryKey, EventGridKey))
            {
                return new UnauthorizedObjectResult("Authentication failed. Please use a valid key.");
            }