From 8a8214113b3d484e520a10804ccc17291cfd6729 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Fri, 4 Nov 2022 18:31:40 +0800
Subject: [PATCH] fix: use subtle compare

---
 models/bots/task.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/models/bots/task.go b/models/bots/task.go
index c8f1865d99..a2cb93ca3b 100644
--- a/models/bots/task.go
+++ b/models/bots/task.go
@@ -7,6 +7,7 @@ package bots
 import (
 	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -266,7 +267,7 @@ func GetTaskByToken(ctx context.Context, token string) (*Task, error) {
 
 	for _, t := range tasks {
 		tempHash := auth_model.HashToken(token, t.TokenSalt)
-		if t.TokenHash == tempHash {
+		if subtle.ConstantTimeCompare([]byte(t.TokenHash), []byte(tempHash)) == 1 {
 			if successfulTokenTaskCache != nil {
 				successfulTokenTaskCache.Add(token, t.ID)
 			}