You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -62,7 +62,7 @@ as defined in [RFC 6750](https://tools.ietf.org/html/rfc6750), and allow users t
When transforming request `Credentials` into an application specific user identifier the naive solution for
checking the secret (password) would be a regular string comparison, but doing this would open up the application to
timing attacks. See for example [Timing Attacks Explained](https://emerose.com/timing-attacks-explained) for an explanation of the problem.
timing attacks. See for example [Timing Attacks Explained](https://web.archive.org/web/20230902003704/https://emerose.com/timing-attacks-explained) for an explanation of the problem.
To protect users of the library from that mistake the secret is not available through the API, instead the method
`Credentials.Provided.verify(String)` should be used. It does a constant time comparison rather than returning early
