🛡️ Sentinel: [HIGH] Fix vulnerable constant-time equality logic

[EffortlessSteven]

Scope

Type: Security
Intent: Replace vulnerable manual string fold logic for constant_time_eq with the compiler-safe subtle crate ConstantTimeEq implementation.
Touchpoints: crates/http-auth-verifier/src/lib.rs, crates/http-auth-verifier/Cargo.toml
Evidence: cargo check and cargo test -p http-auth-verifier pass.

🚨 Severity: HIGH
💡 Vulnerability: The constant_time_eq function used a manual fold over bytes. While logically correct, modern compilers (like LLVM) often optimize manual loops in ways that reintroduce branching or early exits, making the application susceptible to timing attacks.
🎯 Impact: Attackers could potentially determine the expected token value byte-by-byte by analyzing minute timing differences during authentication verification.
🔧 Fix: Replaced the manual loop with subtle::ConstantTimeEq, which uses compiler black boxes and inline assembly to guarantee constant-time execution, and added the subtle crate as a dependency.
✅ Verification: Ran cargo clippy, cargo fmt, and cargo test to ensure tests passed and the dependency was successfully integrated.

---

PR created automatically by Jules for task 16415735817051698426 started by @EffortlessSteven

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 24 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9ce5fc21-2d4f-4d98-b76b-e29b0984e224

📥 Commits

Reviewing files that changed from the base of the PR and between 63105d4 and a597920.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .cargo/audit.toml
• deny.toml

Walkthrough

The pull request adds the subtle crate as a dependency to the http-auth-verifier library and refactors the constant_time_eq function to use the library's ConstantTimeEq trait for secure byte-slice comparison instead of a manual implementation.

Changes

Cohort / File(s)	Summary
Dependency Addition crates/http-auth-verifier/Cargo.toml	Adds subtle crate version 2.6.1 to regular dependencies.
Constant-Time Comparison Refactoring crates/http-auth-verifier/src/lib.rs	Replaces manual byte-wise XOR logic with subtle::ConstantTimeEq trait implementation; imports ConstantTimeEq into scope.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A tiny crate so subtle brings,
Safe comparisons without the fuss,
No more XOR accumulating things,
Constant-time for all of us!
Security wrapped in trust. 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main security fix: replacing vulnerable constant-time equality logic with the safe subtle crate implementation.
Description check	✅ Passed	The description is directly related to the changeset, detailing the security vulnerability, the rationale for using subtle, and verification steps taken.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-constant-time-eq-16415735817051698426

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/http-auth-verifier/src/lib.rs (1)

242-249: 🧹 Nitpick | 🔵 Trivial

Consider adding explicit length-mismatch test cases.

The proptest covers length mismatches probabilistically, but adding explicit deterministic tests would improve coverage clarity and guarantee edge cases are always exercised:

#[test]
fn constant_time_eq_rejects_length_mismatch() {
    assert!(!constant_time_eq("abc", "ab"));
    assert!(!constant_time_eq("", "a"));
    assert!(constant_time_eq("", ""));
}

The relevant code snippet from crates/http-auth-verifier/tests/verifier_integration.rs:49-53 shows the integration test only covers equal-length strings.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/http-auth-verifier/src/lib.rs` around lines 242 - 249, Add a
deterministic unit test that explicitly checks length-mismatch behavior for
constant_time_eq: create a new #[test] (e.g.,
constant_time_eq_rejects_length_mismatch) and assert that
constant_time_eq("abc","ab") is false, constant_time_eq("","a") is false, and
constant_time_eq("","") is true; keep the existing proptest
prop_constant_time_eq_matches_standard_equality but add this explicit test to
guarantee the edge cases are always exercised.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@crates/http-auth-verifier/src/lib.rs`:
- Around line 242-249: Add a deterministic unit test that explicitly checks
length-mismatch behavior for constant_time_eq: create a new #[test] (e.g.,
constant_time_eq_rejects_length_mismatch) and assert that
constant_time_eq("abc","ab") is false, constant_time_eq("","a") is false, and
constant_time_eq("","") is true; keep the existing proptest
prop_constant_time_eq_matches_standard_equality but add this explicit test to
guarantee the edge cases are always exercised.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d092c215-4733-43a8-9c2a-52e9a6f9c12a

📥 Commits

Reviewing files that changed from the base of the PR and between 90fd4d1 and 63105d4.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• crates/http-auth-verifier/Cargo.toml
• crates/http-auth-verifier/src/lib.rs

[github-actions]

Test Results

283 tests   245 ✅  11m 41s ⏱️
 25 suites   38 💤
  1 files      0 ❌

Results for commit a597920.

♻️ This comment has been updated with latest results.