Use constant-time comparison for basic auth password check

## Context

`crates/common/src/auth.rs:17` compares the basic auth password using standard `==`, which is susceptible to timing side-channel attacks. While low severity behind TLS with basic auth, this was noted during the PR #468 review (which focused on improving secret handling).

## Proposal

Use `subtle::ConstantTimeEq` or an equivalent constant-time comparison for the password check in `enforce_basic_auth` as a defense-in-depth measure.

## References

- PR #468 review comment: https://github.com/IABTechLab/trusted-server/pull/468#discussion_r2919462181

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use constant-time comparison for basic auth password check #475

Context

Proposal

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Use constant-time comparison for basic auth password check #475

Description

Context

Proposal

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions