zlacker

[return to "Cloudlflare builds OAuth with Claude and publishes all the prompts"]
1. ZiiS+cd[view] [source] 2025-06-02 15:40:01
>>gregor+(OP)
Shouldn't they really have asked it to read https://developers.cloudflare.com/workers/examples/protect-a...
◧◩
2. kenton+Js[view] [source] 2025-06-02 17:07:38
>>ZiiS+cd
The secret token is hashed first, and it's the hash that is looked up in storage. In this arrangement, an attacker cannot use timing to determine the correct value byte-by-byte, because any change to the secret token is expected to randomize the whole hash. So, timing-safe equality is not needed.

That said, if you have spotted a place in the code where you believe there is such a vulnerability, please do report it. Disclosure guidelines are at: https://github.com/cloudflare/workers-oauth-provider/blob/ma...

◧◩◪
3. ZiiS+4O[view] [source] 2025-06-02 19:42:33
>>kenton+Js
I am not confident enough in this area to to report a vunrability, the networking alone probably makes timing impractical. I thought it was now practical to generate known prefix Sha256, so some information could be extracted? Not enough to compromise but the function is right there.
[go to top]