--- a/util/jwt.lua Thu May 13 11:17:13 2021 +0100
+++ b/util/jwt.lua Thu May 13 14:13:07 2021 +0100
@@ -3,6 +3,7 @@
local hashes = require "util.hashes";
local base64_encode = require "util.encodings".base64.encode;
local base64_decode = require "util.encodings".base64.decode;
+local secure_equals = require "util.hashes".equals;
local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] = "/" };
local function b64url(data)
@@ -33,7 +34,7 @@
elseif header.alg ~= "HS256" then
return nil, "unsupported-algorithm";
end
- if b64url(hashes.hmac_sha256(key, signed)) ~= signature then
+ if not secure_equals(b64url(hashes.hmac_sha256(key, signed)), signature) then
return false, "signature-mismatch";
end
local payload, err = json.decode(unb64url(bpayload));