fix(vuln): Change OTP and Email providers to use time-constant equality operators

Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com>
2025-12-06 00:03:34 +00:00 · 2025-10-28 09:51:24 -04:00
parent 76d7534d85
commit 02be34159d
2 changed files with 2 additions and 2 deletions
--- a/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
+++ b/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
@@ -65,7 +65,7 @@ public class EmailTokenProvider : IUserTwoFactorTokenProvider<User>
        }

        var code = Encoding.UTF8.GetString(cachedValue);
-        var valid = string.Equals(token, code);
+        var valid = CoreHelpers.FixedTimeEquals(token, code);
        if (valid)
        {
            await _distributedCache.RemoveAsync(cacheKey);
--- a/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
+++ b/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
@@ -64,7 +64,7 @@ public class OtpTokenProvider<TOptions>(
        }

        var code = Encoding.UTF8.GetString(cachedValue);
-        var valid = string.Equals(token, code);
+        var valid = CoreHelpers.FixedTimeEquals(token, code);
        if (valid)
        {
            await _distributedCache.RemoveAsync(cacheKey);