Skip to content

test(agent): cover bearer token const-time compare#400

Merged
intendednull merged 1 commit into
mainfrom
claude/issue-304-token-ct
Apr 27, 2026
Merged

test(agent): cover bearer token const-time compare#400
intendednull merged 1 commit into
mainfrom
claude/issue-304-token-ct

Conversation

@intendednull
Copy link
Copy Markdown
Owner

@intendednull intendednull commented Apr 27, 2026

Why

Bearer compare already const-time (13c7dc6, audit/agent-sec). But no test lock behavior. Future refactor could revert silently. #304 still open.

Fix

Add unit tests for tokens_eq_ct:

  • right token pass
  • wrong same-len reject
  • short reject
  • long reject
  • empty reject

No timing assertion (test correctness, not const-time property).

Verify

  • just check clean (fmt, clippy, test, wasm). Zero warnings.
  • All 5 new tokens_eq_ct_* tests pass.
  • subtle = "2" already in crates/agent/Cargo.toml.

Closes #304

Generated by Claude Code

@claude
test(agent): cover bearer token const-time compare
bb9f3bd 
Bearer compare go const-time in 13c7dc6 (#304). Add test:
right token pass, wrong-same-len fail, short fail, long fail,
empty fail. Lock behavior so future edit no break.
@intendednull intendednull merged commit 9d62bf1 into main Apr 27, 2026
7 checks passed
@intendednull intendednull deleted the claude/issue-304-token-ct branch April 27, 2026 08:54
@intendednull intendednull mentioned this pull request Apr 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SEC-A-01] Bearer token compared with non-constant-time equality

2 participants

@intendednull @claude