Skip to content

fix: use constant time in user checks#1004

Merged
steveiliop56 merged 3 commits into
mainfrom
fix/constant-time-auth
Jul 14, 2026
Merged

fix: use constant time in user checks#1004
steveiliop56 merged 3 commits into
mainfrom
fix/constant-time-auth

Conversation

@steveiliop56

@steveiliop56 steveiliop56 commented Jul 14, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Bug Fixes

    • Improved sign-in handling for unknown usernames by performing a consistent dummy password-check before returning HTTP 401.
    • Aligned basic authentication so non-existent users follow the same dummy-check flow, reducing differences between valid and invalid username attempts.
  • Tests

    • Updated authentication-related test setups to fail fast if authentication service initialization returns an error, before running controller and middleware tests.

@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jul 14, 2026
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 23e0fccc-6125-4ec4-8115-2e734b4010c8

📥 Commits

Reviewing files that changed from the base of the PR and between d2418ac and 5d2b7c9.

📒 Files selected for processing (3)
  • internal/controller/user_controller.go
  • internal/middleware/context_middleware.go
  • internal/service/auth_service.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • internal/middleware/context_middleware.go

📝 Walkthrough

Walkthrough

AuthService now initializes a bcrypt dummy hash and returns construction errors. Login and basic authentication invoke a dummy password check when user lookup fails with service.ErrUserNotFound.

Changes

Dummy password authentication flow

Layer / File(s) Summary
AuthService dummy hash and constructor flow
internal/service/auth_service.go, internal/controller/*_test.go, internal/middleware/context_middleware_test.go
NewAuthService generates and stores a bcrypt dummy hash, returns generation errors, and DummyPasswordCheck compares a supplied password against that hash. Tests now validate constructor errors.
Failed lookup handling
internal/controller/user_controller.go, internal/middleware/context_middleware.go
Login and basic authentication call DummyPasswordCheck when user lookup returns service.ErrUserNotFound before continuing existing error handling.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: scottmckendry

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: using constant-time checks during user lookup/authentication.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/constant-time-auth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
internal/service/auth_service.go (1)

165-168: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Use the provided password for the dummy check.

Generating a random string for the dummy check consumes unnecessary entropy and slightly alters the execution time compared to hashing the actual password provided in the request. Accepting and comparing the user-provided password ensures the execution time identically matches a normal password validation failure.

  • internal/service/auth_service.go#L165-L168: update the definition to func (auth *AuthService) DummyPasswordCheck(providedPassword string) and replace []byte(random) with []byte(providedPassword).
  • internal/controller/user_controller.go#L93-L93: pass the request password by calling controller.auth.DummyPasswordCheck(req.Password).
  • internal/middleware/context_middleware.go#L247-L247: pass the basic auth password by calling m.auth.DummyPasswordCheck(password) (if addressing the major issue flagged here, update the gated call).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/service/auth_service.go` around lines 165 - 168, Update
AuthService.DummyPasswordCheck to accept providedPassword and compare the dummy
hash against it instead of generating a random string. At
internal/service/auth_service.go lines 165-168, change the method and
comparison; at internal/controller/user_controller.go line 93, pass
req.Password; and at internal/middleware/context_middleware.go line 247, pass
password, including the gated call if applicable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/middleware/context_middleware.go`:
- Around line 246-249: Update the SearchUser error handling in the surrounding
middleware method so m.auth.DummyPasswordCheck() runs only when err matches
service.ErrUserNotFound. Preserve the existing wrapped error return for
not-found and all other search failures, while avoiding the CPU-intensive check
for database or connectivity errors.

In `@internal/service/auth_service.go`:
- Line 106: Update every NewAuthService call site, specifically the usages in
proxy_controller_test.go and user_controller_test.go, to receive and handle both
the returned service and error. Preserve each test’s existing setup while
propagating or asserting the constructor error appropriately so the tests
compile and fail clearly on initialization errors.

---

Nitpick comments:
In `@internal/service/auth_service.go`:
- Around line 165-168: Update AuthService.DummyPasswordCheck to accept
providedPassword and compare the dummy hash against it instead of generating a
random string. At internal/service/auth_service.go lines 165-168, change the
method and comparison; at internal/controller/user_controller.go line 93, pass
req.Password; and at internal/middleware/context_middleware.go line 247, pass
password, including the gated call if applicable.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 778a7065-caa3-49f3-9439-88de52f5d8ce

📥 Commits

Reviewing files that changed from the base of the PR and between e75605b and 6e25625.

📒 Files selected for processing (3)
  • internal/controller/user_controller.go
  • internal/middleware/context_middleware.go
  • internal/service/auth_service.go

Comment thread internal/middleware/context_middleware.go
Comment thread internal/service/auth_service.go
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 9.09091% with 10 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/service/auth_service.go 0.00% 8 Missing ⚠️
internal/middleware/context_middleware.go 0.00% 2 Missing ⚠️

📢 Thoughts on this report? Let us know!

@steveiliop56

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/service/auth_service.go`:
- Around line 165-167: Update AuthService.DummyPasswordCheck to accept and hash
the supplied password instead of generating a random value; update
internal/service/auth_service.go lines 165-167 accordingly. Pass req.Password
from internal/controller/user_controller.go line 93 and password from
internal/middleware/context_middleware.go lines 248-250 into this method.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 093af0f1-87c9-4de8-bbc0-3eb77de336f1

📥 Commits

Reviewing files that changed from the base of the PR and between e75605b and d2418ac.

📒 Files selected for processing (6)
  • internal/controller/proxy_controller_test.go
  • internal/controller/user_controller.go
  • internal/controller/user_controller_test.go
  • internal/middleware/context_middleware.go
  • internal/middleware/context_middleware_test.go
  • internal/service/auth_service.go

Comment thread internal/service/auth_service.go Outdated
@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jul 14, 2026
@steveiliop56 steveiliop56 merged commit c22925c into main Jul 14, 2026
5 checks passed
@steveiliop56 steveiliop56 deleted the fix/constant-time-auth branch July 14, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants