1
1
mirror of https://github.com/go-gitea/gitea synced 2024-11-16 07:04:25 +00:00
gitea/routers/metrics.go
leonklingele ef57fe4ae3 routers: do not leak secrets via timing side channel (#7364)
* routers: do not leak secrets via timing side channel

* routers/repo: do not leak secrets via timing side channel
2019-07-06 13:03:13 -04:00

35 lines
856 B
Go

// Copyright 2018 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package routers
import (
"crypto/subtle"
"github.com/prometheus/client_golang/prometheus/promhttp"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/setting"
)
// Metrics validate auth token and render prometheus metrics
func Metrics(ctx *context.Context) {
if setting.Metrics.Token == "" {
promhttp.Handler().ServeHTTP(ctx.Resp, ctx.Req.Request)
return
}
header := ctx.Req.Header.Get("Authorization")
if header == "" {
ctx.Error(401)
return
}
got := []byte(header)
want := []byte("Bearer " + setting.Metrics.Token)
if subtle.ConstantTimeCompare(got, want) != 1 {
ctx.Error(401)
return
}
promhttp.Handler().ServeHTTP(ctx.Resp, ctx.Req.Request)
}