From 67460ea6b286a7c387ac89cb62dc2dcc34f5eff3 Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Tue, 17 Mar 2026 11:57:29 -0700
Subject: [PATCH] fix: use timing-safe comparison for OPER credentials

Replace plain != string comparison with crypto/subtle.ConstantTimeCompare
for both operator name and password checks in handleOper to prevent
timing-based side-channel attacks.

Closes review feedback on PR #82.
---
 internal/handlers/api.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/handlers/api.go b/internal/handlers/api.go
index 9209294..d2af8a5 100644
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -3186,7 +3187,8 @@ func (hdlr *Handlers) handleOper(
 	cfgPass := hdlr.params.Config.OperPassword
 
 	if cfgName == "" || cfgPass == "" ||
-		operName != cfgName || operPass != cfgPass {
+		subtle.ConstantTimeCompare([]byte(operName), []byte(cfgName)) != 1 ||
+		subtle.ConstantTimeCompare([]byte(operPass), []byte(cfgPass)) != 1 {
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.ErrNoOperHost, nick,
 			nil, "No O-lines for your host",