Author: Shivam Mathur (shivammathur)
Date: 2026-04-02T06:11:46+05:30
Commit: Use hash_equals in Auth::authenticate · php/web-downloads@c27dc68 · GitHub
Raw diff: https://github.com/php/web-downloads/commit/c27dc6873177020acc202a2e2b1e247608fbba1f.diff
Use hash_equals in Auth::authenticate
Changed paths:
M src/Auth.php
Diff:
diff --git a/src/Auth.php b/src/Auth.php
index dd7b609..a352928 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -10,6 +10,6 @@ public function authenticate(): bool
$authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
$authToken = str_replace('Bearer ', '', $authHeader);
- return $authToken === getenv('AUTH_TOKEN');
+ return hash_equals((string) getenv('AUTH_TOKEN'), $authToken);
}
}