From e561e1ee1f5dceaf1661a7b59b7bc852a45fe3dd Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Mon, 9 Mar 2026 08:27:38 +0000
Subject: [PATCH] security: use constant-time comparison for auth credentials

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 crypt/lthn/lthn.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypt/lthn/lthn.go b/crypt/lthn/lthn.go
index 08fe2ed..a2404f5 100644
--- a/crypt/lthn/lthn.go
+++ b/crypt/lthn/lthn.go
@@ -18,6 +18,7 @@ package lthn
 
 import (
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/hex"
 )
 
@@ -87,8 +88,8 @@ func createSalt(input string) string {
 
 // Verify checks if an input string produces the given hash.
 // Returns true if Hash(input) equals the provided hash value.
-// Uses direct string comparison - for security-critical applications,
-// consider using constant-time comparison.
+// Uses constant-time comparison to prevent timing attacks.
 func Verify(input string, hash string) bool {
-	return Hash(input) == hash
+	computed := Hash(input)
+	return subtle.ConstantTimeCompare([]byte(computed), []byte(hash)) == 1
 }