From 7be9068833352f9a7edc6e6c5fe68137ffd28aa6 Mon Sep 17 00:00:00 2001
From: Jesse Cooke <jesse@relativepath.io>
Date: Wed, 19 Jun 2024 11:26:05 -0700
Subject: [PATCH] Use Plug.Crypto.secure_compare/2 to avoid timing attacks

---
 lib/security/hmac_plug.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/security/hmac_plug.ex b/lib/security/hmac_plug.ex
index c320cd6..f3773e8 100644
--- a/lib/security/hmac_plug.ex
+++ b/lib/security/hmac_plug.ex
@@ -96,7 +96,7 @@ defmodule PhoenixApiToolkit.Security.HmacPlug do
     with hmac <- parse_auth_header(conn),
          body = CacheBodyReader.get_raw_request_body(conn) || "",
          message_hmac = Internal.hmac(hash_algorithm, hmac_secret, body) |> Base.encode64(),
-         {:hmac_matches, true} <- {:hmac_matches, hmac == message_hmac},
+         {:hmac_matches, true} <- {:hmac_matches, Plug.Crypto.secure_compare(hmac, message_hmac)},
          :ok <- verify_method(conn),
          :ok <- verify_path(conn),
          :ok <- verify_timestamp(conn, max_age) do