Admin secret comparison vulnerable to timing attacks #479
Description
Bug Description
In internal/token/admin_token.go:47, the admin secret is compared using secret == p.config.AdminSecret which is not constant-time. An attacker could deduce the admin secret by measuring response time differences.
Impact
MEDIUM — Timing side-channel attack on admin secret comparison.
Fix
Use crypto/subtle.ConstantTimeCompare() for the comparison.